GHSA/SYNC: 1 brand new advisory

Author: jasnow

gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml

@@ -0,0 +1,38 @@
+---
+gem: action_text-trix
+ghsa: qmpg-8xg6-ph5q
+url: https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
+title: Trix has a Stored XSS vulnerability through serialized attributes
+date: 2026-03-12
+description: |
+  ### Impact
+
+  The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS
+  attacks when a `data-trix-serialized-attributes` attribute bypasses
+  the DOMPurify sanitizer.
+
+  An attacker could craft HTML containing a `data-trix-serialized-attributes`
+  attribute with a malicious payload that, when the content is rendered,
+  could execute arbitrary JavaScript code within the context of the user's
+  session, potentially leading to unauthorized actions being performed
+  or sensitive information being disclosed.
+
+  ### Patches
+
+  Update Recommendation: Users should upgrade to Trix editor
+  version 2.1.17 or later.
+
+  ### References
+
+  The XSS vulnerability was responsibly reported by Hackerone
+  researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
+cvss_v3: 4.6
+patched_versions:
+  - ">= 2.1.17"
+related:
+  url:
+    - https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
+    - https://github.com/basecamp/trix/releases/tag/v2.1.17
+    - https://github.com/basecamp/trix/pull/1282
+    - https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
+    - https://github.com/advisories/GHSA-qmpg-8xg6-ph5q