GHSA-qmpg-8xg6-ph5q: Trix has a Stored XSS vulnerability through serialized attributes

March 12, 2026

The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer.

An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user’s session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

References

github.com/advisories/GHSA-qmpg-8xg6-ph5q
github.com/basecamp/trix
github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
github.com/basecamp/trix/pull/1282
github.com/basecamp/trix/releases/tag/v2.1.17
github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q

Code Behaviors & Features

Detect and mitigate GHSA-qmpg-8xg6-ph5q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →