JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

Ruby is a scripting language designed for simplified object-oriented programming.

Ruby

### Impact
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.
An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.
### Resources
The XSS vulnerability was reported by HackerOne researcher [michaelcheers](https://hackerone.com/michaelcheers?type=user).

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-69264	HIGH	8.8	JavaScript	pnpm	No	Yes	Jan 07, 2026
CVE-2025-69262	HIGH	7.5	JavaScript	pnpm	No	Yes	Jan 07, 2026
CVE-2025-69263	HIGH	7.5	JavaScript	pnpm	No	Yes	Jan 07, 2026
CVE-2026-22028	HIGH	7.2	JavaScript	preact	No	Yes	Jan 07, 2026
CVE-2025-9611	HIGH	7.2	JavaScript	@playwright/mcp	No	Yes	Jan 07, 2026

GHSA-g9jg-w8vm-g96v:
JavaScript vulnerability analysis and mitigation

Impact

Patches

Resources

4.6

Related JavaScript vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

GHSA-g9jg-w8vm-g96v: JavaScript vulnerability analysis and mitigation