Description
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 1.3.3 >= 2.0.0, < 2.1.9** Patched version(s): **1.3.3 2.1.9**
References
Related Issues
- Trix has a stored XSS vulnerability through its attachment attribute - Vulnerability
- Astro's `X-Forwarded-Host` is reflected without validation - CVE-2025-61925
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on December 09, 2024