VulnerableCode Package Details - pkg:gem/action

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-63mn-56k4-jbh4	Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController) ### Impact The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted `application/x-trix-document` JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support). The `StringPiece.fromJSON` method trusted `href` attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a `javascript:` URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM. Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later. ### References The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).	GHSA-53p3-c7vp-4mcc

Vulnerability

Summary

Aliases

VCID-63mn-56k4-jbh4

Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController) ### Impact The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted `application/x-trix-document` JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support). The `StringPiece.fromJSON` method trusted `href` attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a `javascript:` URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM. Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later. ### References The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).

GHSA-53p3-c7vp-4mcc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T17:41:50.555409+00:00	Ruby Importer	Fixing	VCID-63mn-56k4-jbh4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml	38.4.0
2026-04-11T21:40:00.781383+00:00	Ruby Importer	Fixing	VCID-63mn-56k4-jbh4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml	38.3.0
2026-04-02T19:37:16.544632+00:00	Ruby Importer	Fixing	VCID-63mn-56k4-jbh4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml	38.1.0
2026-04-02T17:01:32.216788+00:00	GHSA Importer	Fixing	VCID-63mn-56k4-jbh4	https://github.com/advisories/GHSA-53p3-c7vp-4mcc	38.1.0
2026-04-01T15:55:10.126853+00:00	Ruby Importer	Fixing	VCID-63mn-56k4-jbh4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml	38.0.0
2026-04-01T12:53:31.871782+00:00	GithubOSV Importer	Fixing	VCID-63mn-56k4-jbh4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-53p3-c7vp-4mcc/GHSA-53p3-c7vp-4mcc.json	38.0.0