GHSA-53p3-c7vp-4mcc

Source

https://github.com/advisories/GHSA-53p3-c7vp-4mcc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-53p3-c7vp-4mcc/GHSA-53p3-c7vp-4mcc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-53p3-c7vp-4mcc

Published

2026-03-29T15:22:17Z

Modified

2026-03-29T15:34:49.813163Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)

Details

Impact

The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support).

The StringPiece.fromJSON method trusted href attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a javascript: URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM.

Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later.

References

The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2026-03-29T15:22:17Z",
    "severity": "LOW",
    "github_reviewed": true
}

References

Affected packages

npm / trix

Package

Name: trix; View open source insights on deps.dev
Purl: pkg:npm/trix

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-53p3-c7vp-4mcc/GHSA-53p3-c7vp-4mcc.json"

RubyGems / action_text-trix

Package

Name: action_text-trix
Purl: pkg:gem/action_text-trix

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.18

Affected versions

0.*

0.0.1

2.*

2.1.15

2.1.16

2.1.17

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-53p3-c7vp-4mcc/GHSA-53p3-c7vp-4mcc.json"