GHSA-G9JG-W8VM-G96V
Vulnerability from github – Published: 2025-12-31 22:07 – Updated: 2026-01-08 21:34
VLAI?
Summary
Trix has a stored XSS vulnerability through its attachment attribute
Details
Impact
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.
An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.
Resources
The XSS vulnerability was reported by HackerOne researcher michaelcheers.
Severity ?
4.6 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "trix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "action_text-trix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-31T22:07:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.\n\nAn attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user\u0027s session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.\n\n### Patches\nUpdate Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.\n\n### Resources\nThe XSS vulnerability was reported by HackerOne researcher [michaelcheers](https://hackerone.com/michaelcheers?type=user).",
"id": "GHSA-g9jg-w8vm-g96v",
"modified": "2026-01-08T21:34:41Z",
"published": "2025-12-31T22:07:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v"
},
{
"type": "WEB",
"url": "https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010"
},
{
"type": "PACKAGE",
"url": "https://github.com/basecamp/trix"
},
{
"type": "WEB",
"url": "https://github.com/basecamp/trix/releases/tag/v2.1.16"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Trix has a stored XSS vulnerability through its attachment attribute"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…