Description
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 1.3.3 >= 2.0.0, < 2.1.9** Patched version(s): **1.3.3 2.1.9**
References
Related Issues
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
- Knwl.js Regular Expression Denial of Service vulnerability - CVE-2020-26306
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on December 09, 2024