CVE-2025-15056
Cross-Site Scripting in Quill 2.0.3 HTML Export Feature
Publication date: 2026-01-13
Last updated on: 2026-04-20
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slab | quill | 2.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15056 is a Cross-Site Scripting (XSS) vulnerability in Quill version 2.0.3 caused by a lack of data validation in the HTML export feature, specifically in formula and video embeds. The vulnerability occurs because user-controlled input is directly embedded into HTML strings without escaping or sanitization, allowing attackers to inject malicious HTML or JavaScript. This can lead to arbitrary script execution in the victim's browser when the exported HTML is rendered. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of a victim's browser by injecting malicious code into formula or video embeds in Quill's HTML export. This can lead to theft of sensitive information, session hijacking, or other malicious actions when the exported HTML is rendered without proper sanitization. The flaw is remotely exploitable without authentication but requires user interaction. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting HTML exports from Quill version 2.0.3 for unescaped user input in formula and video embeds. Specifically, look for HTML output containing suspicious or malicious payloads such as injected tags or event handlers (e.g., </span><img src=x onerror=alert(1)> or URLs with embedded JavaScript). Detection can involve searching exported HTML files or logs for these patterns. Commands such as grep or similar text search tools can be used, for example: grep -rE '</span><img|onerror=|onmouseover=' /path/to/exported/html. Additionally, monitoring web application inputs and outputs for unescaped HTML in formula or video embeds can help identify exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing or escaping all user-controlled input in formula and video embeds before exporting or rendering HTML. Since no patch is currently available, developers should implement input validation and output encoding to prevent injection of malicious HTML or JavaScript. Avoid rendering raw HTML from Quill's export functions without proper sanitization. Additionally, consider restricting or disabling the HTML export feature temporarily if feasible, and educate users about the risk of interacting with untrusted content. Monitoring for suspicious activity and applying web application firewall (WAF) rules to block typical XSS payloads can also help reduce risk. [2]