Description
The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer.
Recommendation
Update the trix package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.17
- Patched version(s): 2.1.17
References
Related Issues
- Trix has a stored XSS vulnerability through its attachment attribute - Vulnerability
- Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController) - Vulnerability
- Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page - Vulnerability
- Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site - Vulnerability
You might also like:
- Tags:
- npm
- trix
Anything's wrong? Let us know Last updated on March 18, 2026