Trix has a stored XSS vulnerability through its attachment attribute
- Severity:
- Medium
Description
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.16
- Patched version(s): 2.1.16
References
Related Issues
- Trix has a Stored XSS vulnerability through serialized attributes - Vulnerability
- CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on January 08, 2026