VulnerableCode Package Details - pkg:npm/trix@2.1.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-d266-4vk3-buc1 Aliases: CVE-2025-46812 GHSA-mcrw-746g-9q8h	Trix vulnerable to Cross-site Scripting on copy & paste ### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later. ### References The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user).	2.1.15 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-k8n9-p3pp-8fh7 Aliases: GHSA-qmpg-8xg6-ph5q	Trix has a Stored XSS vulnerability through serialized attributes ### Impact The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later. ### References The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).	2.1.17 Affected by 0 other vulnerabilities.
VCID-q1s4-ash2-5udy Aliases: GHSA-g9jg-w8vm-g96v	Trix has a stored XSS vulnerability through its attachment attribute The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.	2.1.16 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-d266-4vk3-buc1
Aliases:
CVE-2025-46812
GHSA-mcrw-746g-9q8h

Trix vulnerable to Cross-site Scripting on copy & paste ### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later. ### References The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user).

2.1.15
Affected by 2 other vulnerabilities.

VCID-k8n9-p3pp-8fh7
Aliases:
GHSA-qmpg-8xg6-ph5q

Trix has a Stored XSS vulnerability through serialized attributes ### Impact The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later. ### References The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).

2.1.17
Affected by 0 other vulnerabilities.

VCID-q1s4-ash2-5udy
Aliases:
GHSA-g9jg-w8vm-g96v

Trix has a stored XSS vulnerability through its attachment attribute The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

2.1.16
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:37:08.169279+00:00	GitLab Importer	Affected by	VCID-k8n9-p3pp-8fh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/GHSA-qmpg-8xg6-ph5q.yml	38.4.0
2026-04-17T00:05:12.212675+00:00	GitLab Importer	Affected by	VCID-q1s4-ash2-5udy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/GHSA-g9jg-w8vm-g96v.yml	38.4.0
2026-04-16T23:28:30.640579+00:00	GitLab Importer	Affected by	VCID-d266-4vk3-buc1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/CVE-2025-46812.yml	38.4.0
2026-04-13T14:28:19.258707+00:00	GitLab Importer	Affected by	VCID-k8n9-p3pp-8fh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/GHSA-qmpg-8xg6-ph5q.yml	38.3.0
2026-04-12T01:28:28.443285+00:00	GitLab Importer	Affected by	VCID-q1s4-ash2-5udy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/GHSA-g9jg-w8vm-g96v.yml	38.3.0
2026-04-12T00:48:06.812099+00:00	GitLab Importer	Affected by	VCID-d266-4vk3-buc1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/CVE-2025-46812.yml	38.3.0
2026-04-03T01:37:11.267757+00:00	GitLab Importer	Affected by	VCID-q1s4-ash2-5udy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/GHSA-g9jg-w8vm-g96v.yml	38.1.0
2026-04-03T00:56:06.570906+00:00	GitLab Importer	Affected by	VCID-d266-4vk3-buc1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/trix/CVE-2025-46812.yml	38.1.0