Trix has a stored XSS vulnerability through its attachment attribute

Description

The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

Recommendation

Update the trix package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.1.16
• Patched version(s): 2.1.16

References

• GHSA-g9jg-w8vm-g96v
• CWE-79
• OWASP 2021-A3

Related Issues

• Trix has a Stored XSS vulnerability through serialized attributes - Vulnerability
• Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController) - Vulnerability
• Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
• CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

These 7 PHP mistakes leave your website open to the hackers

How do hackers hack websites?

Tags:

npm

trix