Description
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 1.3.3 >= 2.0.0, < 2.1.9** Patched version(s): **1.3.3 2.1.9**
References
Related Issues
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on December 09, 2024