Trix, Stored XSS, CVE-2026-12345 (Moderate)

Listen to this Post

The Trix editor prior to version 2.1.17 is vulnerable to a stored cross-site scripting (XSS) attack due to improper sanitization of the `data-trix-serialized-attributes` attribute. This attribute is designed to handle JSON data for elements like attachments. An attacker can craft HTML content containing a malicious payload within this attribute. When the Trix editor renders this content, it fails to properly sanitize the serialized data, allowing the attacker’s JavaScript to bypass the DOMPurify filter. The malicious script is then executed within the context of the user’s session when the content is viewed. This can lead to session hijacking, unauthorized actions, or sensitive data disclosure. The vulnerability was reported via HackerOne and affects all versions before the patch. The fix involves updating DOMPurify and enhancing the attribute sanitization process.
Platform: Trix
Version: <2.1.17
Vulnerability: Stored XSS
Severity: Moderate
Date: Mar 11, 2026

Prediction: Patch within 48h

What Undercode Say:

Analytics

This vulnerability was discovered through a HackerOne report by researcher “newbiefromcoma”. The exploit chain relies on the editor’s handling of the `data-trix-serialized-attributes` attribute, which is used to store metadata for attachments and other rich content. The flaw lies in the fact that while DOMPurify sanitizes the HTML structure, it did not recursively sanitize the JSON content within this specific attribute. An attacker can inject JavaScript code that, when parsed by the browser during rendering, executes outside of the sanitized DOM. The patch in version 2.1.17 addresses this by implementing deeper, recursive sanitization of the serialized data to neutralize any embedded malicious scripts before they are rendered.

Exploit:

<!-- Malicious HTML payload to be introduced into the Trix editor -->

<div data-trix-serialized-attributes='{"alt":"XSS","caption":"<img src=x onerror=alert(document.cookie)>"}'>Click me</div>

Command to check the current Trix version in a project
grep -r '"trix":' package.json | head -1
// JavaScript to demonstrate how the payload could be programmatically inserted
const maliciousContent = <code><div data-trix-serialized-attributes='{"caption":"<script>alert('XSS')</script>"}'>Exploit</div></code>;
document.querySelector('trix-editor').editor.insertHTML(maliciousContent);
// Example of a vulnerable version detection script
console.log('Trix Version:', Trix.VERSION);
if (Trix.VERSION < '2.1.17') {
console.warn('Vulnerable to CVE-2026-12345');
}

Protection from this CVE

  1. Update Trix: Upgrade to version 2.1.17 or later immediately.
  2. Content Security Policy: Implement a strict CSP header to mitigate XSS impact.
    Apache configuration for CSP
    Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
    
  3. Input Validation: Sanitize user inputs on the server-side as a defense-in-depth measure.
    Ruby on Rails server-side sanitization example
    sanitized_content = ActionController::Base.helpers.sanitize(params[:content])
    
  4. Monitor Logs: Check for unusual activity or attachment handling in your applications.

Impact

A successful exploit allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, where the attacker can impersonate the user. It also enables data theft, including access to cookies, local storage, and performing actions on behalf of the user, such as changing account details or posting content. For applications that handle sensitive data, this poses a significant risk to confidentiality and integrity. The vulnerability is considered moderate due to the requirement of user interaction (viewing the content) and the need for the attacker to have a means to inject the malicious content into the editor.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top