CVE-2025-46812
Trix vulnerable to Cross-site Scripting on copy & paste
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
08 May 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
Affected products
basecamp · trixWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →