Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/trix@2.1.13
Typenpm
Namespace
Nametrix
Version2.1.13
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.1.17
Latest_non_vulnerable_version2.1.18
Affected_by_vulnerabilities
0
url VCID-d266-4vk3-buc1
vulnerability_id VCID-d266-4vk3-buc1
summary 
Trix vulnerable to Cross-site Scripting on copy & paste
### Impact
The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code.

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later.

### References
The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-46812
reference_id
reference_type
scores
0
value 0.0035
scoring_system epss
scoring_elements 0.5747
published_at 2026-04-04T12:55:00Z
1
value 0.0035
scoring_system epss
scoring_elements 0.57501
published_at 2026-04-18T12:55:00Z
2
value 0.0035
scoring_system epss
scoring_elements 0.57478
published_at 2026-04-13T12:55:00Z
3
value 0.0035
scoring_system epss
scoring_elements 0.57496
published_at 2026-04-12T12:55:00Z
4
value 0.0035
scoring_system epss
scoring_elements 0.57519
published_at 2026-04-11T12:55:00Z
5
value 0.0035
scoring_system epss
scoring_elements 0.57504
published_at 2026-04-16T12:55:00Z
6
value 0.0035
scoring_system epss
scoring_elements 0.575
published_at 2026-04-08T12:55:00Z
7
value 0.0035
scoring_system epss
scoring_elements 0.57448
published_at 2026-04-02T12:55:00Z
8
value 0.0035
scoring_system epss
scoring_elements 0.57447
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-46812
1
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
2
reference_url https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
reference_id
reference_type
scores
0
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/
url https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
3
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/
url https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-46812
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-46812
5
reference_url https://github.com/advisories/GHSA-mcrw-746g-9q8h
reference_id GHSA-mcrw-746g-9q8h
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mcrw-746g-9q8h
fixed_packages
0
url pkg:npm/trix@2.1.15
purl pkg:npm/trix@2.1.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k8n9-p3pp-8fh7
1
vulnerability VCID-q1s4-ash2-5udy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.15
aliases CVE-2025-46812, GHSA-mcrw-746g-9q8h
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d266-4vk3-buc1
1
url VCID-k8n9-p3pp-8fh7
vulnerability_id VCID-k8n9-p3pp-8fh7
summary 
Trix has a Stored XSS vulnerability through serialized attributes
### Impact
The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer.

An attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later.

### References
The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
2
reference_url https://github.com/basecamp/trix/pull/1282
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/pull/1282
3
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.17
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.17
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
6
reference_url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
reference_id GHSA-qmpg-8xg6-ph5q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
fixed_packages
0
url pkg:npm/trix@2.1.17
purl pkg:npm/trix@2.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17
aliases GHSA-qmpg-8xg6-ph5q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8n9-p3pp-8fh7
2
url VCID-q1s4-ash2-5udy
vulnerability_id VCID-q1s4-ash2-5udy
summary 
Trix has a stored XSS vulnerability through its attachment attribute
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
2
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.16
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.16
3
reference_url https://github.com/advisories/GHSA-g9jg-w8vm-g96v
reference_id GHSA-g9jg-w8vm-g96v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g9jg-w8vm-g96v
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
reference_id GHSA-g9jg-w8vm-g96v
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
reference_id GHSA-g9jg-w8vm-g96v.yml
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
fixed_packages
0
url pkg:npm/trix@2.1.16
purl pkg:npm/trix@2.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k8n9-p3pp-8fh7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16
aliases GHSA-g9jg-w8vm-g96v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q1s4-ash2-5udy
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.13