CVE-2025-46812 – trix

Package

Manager: npm
Name: trix
Vulnerable Version: >=0 <2.1.15

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

EPSS: 0.00091 pctl0.26721

Details

Trix vulnerable to Cross-site Scripting on copy & paste ### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later. ### References The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user).

Metadata

Created: 2025-05-08T14:48:23Z
Modified: 2025-05-08T22:00:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-mcrw-746g-9q8h/GHSA-mcrw-746g-9q8h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-mcrw-746g-9q8h
Finding: F008
Auto approve: 1