CVE-2025-46812

EPSS 0.35%

Trix vulnerable to Cross-site Scripting on copy & paste

Published: 5/8/2025Modified: 5/8/2025

Description

### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later. ### References The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user).

Affected packages (1)

npm/trixfrom 0, < 2.1.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-46812
PATCHhttps://github.com/basecamp/trix
WEBhttps://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
WEBhttps://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h