Description
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.12
- Patched version(s): 2.1.12
References
Related Issues
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on January 03, 2025