Main Vulnerability Database SB20260428196

SB20260428196 - Cross-site scripting in Trix

Published: April 28, 2026

Security Bulletin ID SB20260428196

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2025-46812)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to cross-site scripting in the Trix editor paste handling when processing pasted malicious code. A remote attacker can trick a user into copying and pasting crafted content to execute arbitrary JavaScript code.

User interaction is required to copy and paste the crafted content.

Remediation

Install update from vendor's website.

References

https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h