Trix vulnerable to Cross-site Scripting on copy & paste

GHSA-mcrw-746g-9q8h · CVE-2025-46812

Published May 8, 2025 · Modified May 8, 2025

Description

Impact

The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code.

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later.

References

The XSS vulnerability was reported by HackerOne researcher hiumee.

References

WEB https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-46812
WEB https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
PACKAGE https://github.com/basecamp/trix

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes