A stored XSS vulnerability (CVE GHSA-qmpg-8xg6-ph5q) has been disclosed in the Trix editor (used by Rails Action Text) affecting versions prior to 2.1.17. Attackers can craft HTML with a malicious `data-trix-serialized-attributes` attribute that bypasses DOMPurify sanitization, enabling arbitrary JavaScript execution in the victim's session. The fix is to upgrade to Trix version 2.1.17 or later. The vulnerability was responsibly reported via HackerOne and carries a CVSS v3 score of 4.6 (Medium).
Sort: