CVE-2025-15056
Unknown Unknown - Not Provided
Cross-Site Scripting in Quill 2.0.3 HTML Export Feature

Publication date: 2026-01-13

Last updated on: 2026-04-20

Assigner: Fluid Attacks

Description
A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
slab quill 2.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15056 is a Cross-Site Scripting (XSS) vulnerability in Quill version 2.0.3 caused by a lack of data validation in the HTML export feature, specifically in formula and video embeds. The vulnerability occurs because user-controlled input is directly embedded into HTML strings without escaping or sanitization, allowing attackers to inject malicious HTML or JavaScript. This can lead to arbitrary script execution in the victim's browser when the exported HTML is rendered. [2]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of a victim's browser by injecting malicious code into formula or video embeds in Quill's HTML export. This can lead to theft of sensitive information, session hijacking, or other malicious actions when the exported HTML is rendered without proper sanitization. The flaw is remotely exploitable without authentication but requires user interaction. [2]

Detection Guidance

This vulnerability can be detected by inspecting HTML exports from Quill version 2.0.3 for unescaped user input in formula and video embeds. Specifically, look for HTML output containing suspicious or malicious payloads such as injected tags or event handlers (e.g., </span><img src=x onerror=alert(1)> or URLs with embedded JavaScript). Detection can involve searching exported HTML files or logs for these patterns. Commands such as grep or similar text search tools can be used, for example: grep -rE '</span><img|onerror=|onmouseover=' /path/to/exported/html. Additionally, monitoring web application inputs and outputs for unescaped HTML in formula or video embeds can help identify exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include sanitizing or escaping all user-controlled input in formula and video embeds before exporting or rendering HTML. Since no patch is currently available, developers should implement input validation and output encoding to prevent injection of malicious HTML or JavaScript. Avoid rendering raw HTML from Quill's export functions without proper sanitization. Additionally, consider restricting or disabling the HTML export feature temporarily if feasible, and educate users about the risk of interacting with untrusted content. Monitoring for suspicious activity and applying web application firewall (WAF) rules to block typical XSS payloads can also help reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15056. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart