{"url":"http://public2.vulnerablecode.io/api/packages/33014?format=json","purl":"pkg:npm/trix@2.1.4","type":"npm","namespace":"","name":"trix","version":"2.1.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.18","latest_non_vulnerable_version":"2.1.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359426?format=json","vulnerability_id":"VCID-2ugz-6znp-aqc2","summary":"Trix has a Stored XSS vulnerability through serialized attributes\n### Impact\n\nThe Trix editor, in versions prior to 2.1.17, is vulnerable to XSS\nattacks when a `data-trix-serialized-attributes` attribute bypasses\nthe DOMPurify sanitizer.\n\nAn attacker could craft HTML containing a `data-trix-serialized-attributes`\nattribute with a malicious payload that, when the content is rendered,\ncould execute arbitrary JavaScript code within the context of the user's\nsession, potentially leading to unauthorized actions being performed\nor sensitive information being disclosed.\n\n### Patches\n\nUpdate Recommendation: Users should upgrade to Trix editor\nversion 2.1.17 or later.\n\n### References\n\nThe XSS vulnerability was responsibly reported by Hackerone\nresearcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).","references":[{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc"},{"reference_url":"https://github.com/basecamp/trix/pull/1282","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/pull/1282"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.17","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.17"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml"},{"reference_url":"https://github.com/advisories/GHSA-qmpg-8xg6-ph5q","reference_id":"GHSA-qmpg-8xg6-ph5q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qmpg-8xg6-ph5q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375257?format=json","purl":"pkg:npm/trix@2.1.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pn87-vyk5-xqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17"}],"aliases":["GHSA-qmpg-8xg6-ph5q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ugz-6znp-aqc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44554?format=json","vulnerability_id":"VCID-hec4-k9e8-bfdt","summary":"The Trix rich text editor, prior to versions 2.1.9 and 1.3.3, is vulnerable to cross-site scripting (XSS) + mutation XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.9 or 1.3.3, which uses DOMPurify to sanitize the pasted content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53847","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44875","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53847"},{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53847","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53847"},{"reference_url":"https://github.com/basecamp/trix/commit/272c7e27e722608732a67108ad3fe7870e233ac8","reference_id":"272c7e27e722608732a67108ad3fe7870e233ac8","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-10T16:15:17Z/"}],"url":"https://github.com/basecamp/trix/commit/272c7e27e722608732a67108ad3fe7870e233ac8"},{"reference_url":"https://github.com/advisories/GHSA-6vx4-v2jw-qwqh","reference_id":"GHSA-6vx4-v2jw-qwqh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6vx4-v2jw-qwqh"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh","reference_id":"GHSA-6vx4-v2jw-qwqh","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-10T16:15:17Z/"}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372480?format=json","purl":"pkg:npm/trix@2.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ugz-6znp-aqc2"},{"vulnerability":"VCID-pn87-vyk5-xqf8"},{"vulnerability":"VCID-pyyj-9p9s-bfem"},{"vulnerability":"VCID-yq9x-dtew-gbht"},{"vulnerability":"VCID-zmfq-w1xc-pqam"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.9"}],"aliases":["CVE-2024-53847","GHSA-6vx4-v2jw-qwqh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hec4-k9e8-bfdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359425?format=json","vulnerability_id":"VCID-pn87-vyk5-xqf8","summary":"Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)\n### Impact\n\nThe Trix editor, in versions prior to 2.1.18, is vulnerable to XSS\nwhen a crafted `application/x-trix-document` JSON payload is dropped\ninto the editor in environments using the fallback Level0InputController\n(e.g., embedded WebViews lacking Input Events Level 2 support).\n\nThe `StringPiece.fromJSON` method trusted `href` attributes from the\nJSON payload without sanitization. An attacker could craft a draggable\nelement containing a `javascript:` URI in the href attribute that,\nwhen dropped into a vulnerable editor, would bypass DOMPurify\nsanitization and inject executable JavaScript into the DOM.\n\nExploitation requires a specific environment (Level0InputController\nfallback) and social engineering (victim must drag and drop\nattacker-controlled content into the editor). Applications using\nserver-side HTML sanitization (such as Rails' built-in sanitizer)\nare additionally protected, as the payload is neutralized on save.\n\n### Patches\n\nUpdate Recommendation: Users should upgrade to Trix editor\nversion 2.1.18 or later.\n\n### References\n\nThe XSS vulnerability was responsibly reported by Hackerone\nresearcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).","references":[{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.18","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.18"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml"},{"reference_url":"https://github.com/advisories/GHSA-53p3-c7vp-4mcc","reference_id":"GHSA-53p3-c7vp-4mcc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53p3-c7vp-4mcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374837?format=json","purl":"pkg:npm/trix@2.1.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.18"}],"aliases":["GHSA-53p3-c7vp-4mcc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pn87-vyk5-xqf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212466?format=json","vulnerability_id":"VCID-pyyj-9p9s-bfem","summary":"Trix has a stored XSS vulnerability through its attachment attribute","references":[{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.16","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.16"},{"reference_url":"https://github.com/advisories/GHSA-g9jg-w8vm-g96v","reference_id":"GHSA-g9jg-w8vm-g96v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g9jg-w8vm-g96v"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v","reference_id":"GHSA-g9jg-w8vm-g96v","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml","reference_id":"GHSA-g9jg-w8vm-g96v.yml","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36455?format=json","purl":"pkg:npm/trix@2.1.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ugz-6znp-aqc2"},{"vulnerability":"VCID-pn87-vyk5-xqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16"}],"aliases":["GHSA-g9jg-w8vm-g96v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pyyj-9p9s-bfem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97551?format=json","vulnerability_id":"VCID-yq9x-dtew-gbht","summary":"Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46812","reference_id":"","reference_type":"","scores":[{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57842","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46812"},{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46812","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46812"},{"reference_url":"https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191","reference_id":"75226089646841b0f774d8b152e5ec27d2d9e191","reference_type":"","scores":[{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/"}],"url":"https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191"},{"reference_url":"https://github.com/advisories/GHSA-mcrw-746g-9q8h","reference_id":"GHSA-mcrw-746g-9q8h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mcrw-746g-9q8h"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h","reference_id":"GHSA-mcrw-746g-9q8h","reference_type":"","scores":[{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/"}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378912?format=json","purl":"pkg:npm/trix@2.1.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ugz-6znp-aqc2"},{"vulnerability":"VCID-pn87-vyk5-xqf8"},{"vulnerability":"VCID-pyyj-9p9s-bfem"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.15"}],"aliases":["CVE-2025-46812","GHSA-mcrw-746g-9q8h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yq9x-dtew-gbht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109497?format=json","vulnerability_id":"VCID-zmfq-w1xc-pqam","summary":"Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don't support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21610","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.4204","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-21610"},{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21610","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21610"},{"reference_url":"https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa","reference_id":"180c8d337f18e1569cea6ef29b4d03ffff5b5faa","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/"}],"url":"https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa"},{"reference_url":"https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8","reference_id":"3921fd9c3e324ad9a3e0d846166e3eb8","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/"}],"url":"https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8"},{"reference_url":"https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93","reference_id":"c4f0d6f80654603932af6685694f694e96593b93","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/"}],"url":"https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93"},{"reference_url":"https://github.com/advisories/GHSA-j386-3444-qgwg","reference_id":"GHSA-j386-3444-qgwg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j386-3444-qgwg"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg","reference_id":"GHSA-j386-3444-qgwg","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/"}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376952?format=json","purl":"pkg:npm/trix@2.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ugz-6znp-aqc2"},{"vulnerability":"VCID-pn87-vyk5-xqf8"},{"vulnerability":"VCID-pyyj-9p9s-bfem"},{"vulnerability":"VCID-yq9x-dtew-gbht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.12"}],"aliases":["CVE-2025-21610","GHSA-j386-3444-qgwg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zmfq-w1xc-pqam"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31865?format=json","vulnerability_id":"VCID-14g9-7gcp-nkcs","summary":"The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for GHSA-qjqp-xr96-cj99. In pull request 1149, sanitation was added for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This vulnerability was fixed in version 2.1.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43368","reference_id":"","reference_type":"","scores":[{"value":"0.00392","scoring_system":"epss","scoring_elements":"0.60602","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43368"},{"reference_url":"https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer"},{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/pull/1149","reference_id":"1149","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/"}],"url":"https://github.com/basecamp/trix/pull/1149"},{"reference_url":"https://github.com/basecamp/trix/pull/1156","reference_id":"1156","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/"}],"url":"https://github.com/basecamp/trix/pull/1156"},{"reference_url":"https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6","reference_id":"7656f578af0d03141a72a9d27cb3692e6947dae6","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/"}],"url":"https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43368","reference_id":"CVE-2024-43368","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43368"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99","reference_id":"GHSA-qjqp-xr96-cj99","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/"}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"},{"reference_url":"https://github.com/advisories/GHSA-qm2q-9f3q-2vcv","reference_id":"GHSA-qm2q-9f3q-2vcv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm2q-9f3q-2vcv"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv","reference_id":"GHSA-qm2q-9f3q-2vcv","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/"}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.4","reference_id":"v2.1.4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/"}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33014?format=json","purl":"pkg:npm/trix@2.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ugz-6znp-aqc2"},{"vulnerability":"VCID-hec4-k9e8-bfdt"},{"vulnerability":"VCID-pn87-vyk5-xqf8"},{"vulnerability":"VCID-pyyj-9p9s-bfem"},{"vulnerability":"VCID-yq9x-dtew-gbht"},{"vulnerability":"VCID-zmfq-w1xc-pqam"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.4"}],"aliases":["CVE-2024-43368","GHSA-qm2q-9f3q-2vcv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-14g9-7gcp-nkcs"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.4"}