Trix has a stored XSS vulnerability through its attachment attribute
- Severity:
- Medium
Description
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.16
- Patched version(s): 2.1.16
References
Related Issues
- Elliptic Uses a Cryptographic Primitive with a Risky Implementation - CVE-2025-14505
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- MetaMask SDK indirectly exposed via malicious [email protected] dependency - Vulnerability
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on January 08, 2026