CVE-2025-46812: Trix vulnerable to Cross-site Scripting on copy & paste

May 8, 2025

The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code.

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user’s session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

References

github.com/advisories/GHSA-mcrw-746g-9q8h
github.com/basecamp/trix
github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h
nvd.nist.gov/vuln/detail/CVE-2025-46812

Code Behaviors & Features

Detect and mitigate CVE-2025-46812 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →