Main Vulnerability Database Vulnerabilities #VU128363

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Trix - #VU128363

Published: April 28, 2026

Vulnerability identifier: #VU128363

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Basecamp

Affected software:
Trix

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code in the user's session.

The vulnerability exists due to cross-site scripting in the data-trix-attachment attribute when rendering attachment payloads as HTML and the content is clicked. A remote user can inject malicious code into a crafted attachment attribute to execute arbitrary JavaScript code in the user's session.

User interaction is required to click the rendered content.

Remediation

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Trix - #VU128363

Detailed vulnerability description

Remediation

Sources

Please verify you're human