Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/trix@1.3.5
Typenpm
Namespace
Nametrix
Version1.3.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.1.17
Latest_non_vulnerable_version2.1.18
Affected_by_vulnerabilities
0
url VCID-7qg1-2vaz-aqdu
vulnerability_id VCID-7qg1-2vaz-aqdu
summary 
Trix allows Cross-site Scripting via `javascript:` url in a link
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.

### Impact

An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8

### Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later.

### Workarounds

This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

### References

https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8

### Credits

This vulnerability was reported by Hackerone researcher https://hackerone.com/lio346?type=user
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-21610
reference_id
reference_type
scores
0
value 0.00147
scoring_system epss
scoring_elements 0.35229
published_at 2026-04-04T12:55:00Z
1
value 0.00147
scoring_system epss
scoring_elements 0.35148
published_at 2026-04-18T12:55:00Z
2
value 0.00147
scoring_system epss
scoring_elements 0.35162
published_at 2026-04-16T12:55:00Z
3
value 0.00147
scoring_system epss
scoring_elements 0.35125
published_at 2026-04-13T12:55:00Z
4
value 0.00147
scoring_system epss
scoring_elements 0.35149
published_at 2026-04-12T12:55:00Z
5
value 0.00147
scoring_system epss
scoring_elements 0.35184
published_at 2026-04-11T12:55:00Z
6
value 0.00147
scoring_system epss
scoring_elements 0.3518
published_at 2026-04-09T12:55:00Z
7
value 0.00147
scoring_system epss
scoring_elements 0.35154
published_at 2026-04-08T12:55:00Z
8
value 0.00147
scoring_system epss
scoring_elements 0.35109
published_at 2026-04-07T12:55:00Z
9
value 0.00147
scoring_system epss
scoring_elements 0.35201
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-21610
1
reference_url https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/
url https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8
2
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
3
reference_url https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/
url https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa
4
reference_url https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/
url https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93
5
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/
url https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-21610
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-21610
7
reference_url https://github.com/advisories/GHSA-j386-3444-qgwg
reference_id GHSA-j386-3444-qgwg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j386-3444-qgwg
fixed_packages
0
url pkg:npm/trix@2.1.12
purl pkg:npm/trix@2.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d266-4vk3-buc1
1
vulnerability VCID-k8n9-p3pp-8fh7
2
vulnerability VCID-q1s4-ash2-5udy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.12
aliases CVE-2025-21610, GHSA-j386-3444-qgwg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7qg1-2vaz-aqdu
1
url VCID-d266-4vk3-buc1
vulnerability_id VCID-d266-4vk3-buc1
summary 
Trix vulnerable to Cross-site Scripting on copy & paste
### Impact
The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code.

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later.

### References
The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-46812
reference_id
reference_type
scores
0
value 0.0035
scoring_system epss
scoring_elements 0.5747
published_at 2026-04-04T12:55:00Z
1
value 0.0035
scoring_system epss
scoring_elements 0.57501
published_at 2026-04-18T12:55:00Z
2
value 0.0035
scoring_system epss
scoring_elements 0.57478
published_at 2026-04-13T12:55:00Z
3
value 0.0035
scoring_system epss
scoring_elements 0.57496
published_at 2026-04-12T12:55:00Z
4
value 0.0035
scoring_system epss
scoring_elements 0.57519
published_at 2026-04-11T12:55:00Z
5
value 0.0035
scoring_system epss
scoring_elements 0.57504
published_at 2026-04-16T12:55:00Z
6
value 0.0035
scoring_system epss
scoring_elements 0.575
published_at 2026-04-08T12:55:00Z
7
value 0.0035
scoring_system epss
scoring_elements 0.57448
published_at 2026-04-02T12:55:00Z
8
value 0.0035
scoring_system epss
scoring_elements 0.57447
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-46812
1
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
2
reference_url https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
reference_id
reference_type
scores
0
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/
url https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
3
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/
url https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-46812
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-46812
5
reference_url https://github.com/advisories/GHSA-mcrw-746g-9q8h
reference_id GHSA-mcrw-746g-9q8h
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mcrw-746g-9q8h
fixed_packages
0
url pkg:npm/trix@2.1.15
purl pkg:npm/trix@2.1.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k8n9-p3pp-8fh7
1
vulnerability VCID-q1s4-ash2-5udy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.15
aliases CVE-2025-46812, GHSA-mcrw-746g-9q8h
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d266-4vk3-buc1
2
url VCID-k8n9-p3pp-8fh7
vulnerability_id VCID-k8n9-p3pp-8fh7
summary 
Trix has a Stored XSS vulnerability through serialized attributes
### Impact
The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer.

An attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later.

### References
The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
2
reference_url https://github.com/basecamp/trix/pull/1282
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/pull/1282
3
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.17
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.17
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
6
reference_url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
reference_id GHSA-qmpg-8xg6-ph5q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
fixed_packages
0
url pkg:npm/trix@2.1.17
purl pkg:npm/trix@2.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17
aliases GHSA-qmpg-8xg6-ph5q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8n9-p3pp-8fh7
3
url VCID-q1s4-ash2-5udy
vulnerability_id VCID-q1s4-ash2-5udy
summary 
Trix has a stored XSS vulnerability through its attachment attribute
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
2
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.16
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.16
3
reference_url https://github.com/advisories/GHSA-g9jg-w8vm-g96v
reference_id GHSA-g9jg-w8vm-g96v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g9jg-w8vm-g96v
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
reference_id GHSA-g9jg-w8vm-g96v
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
reference_id GHSA-g9jg-w8vm-g96v.yml
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
fixed_packages
0
url pkg:npm/trix@2.1.16
purl pkg:npm/trix@2.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k8n9-p3pp-8fh7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16
aliases GHSA-g9jg-w8vm-g96v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q1s4-ash2-5udy
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/trix@1.3.5