GHSA SYNC: 1 brand new advisory (#949)

Author: jasnow

gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml

@@ -0,0 +1,36 @@
+---
+gem: action_text-trix
+ghsa: g9jg-w8vm-g96v
+url: https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
+title: Trix has a stored XSS vulnerability through its attachment attribute
+date: 2025-12-31
+description: |
+  ### Impact
+
+  The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS
+  attacks through attachment payloads.
+
+  An attacker could inject malicious code into a data-trix-attachment
+  attribute that, when rendered as HTML and clicked on, could execute
+  arbitrary JavaScript code within the context of the user's session,
+  potentially leading to unauthorized actions being performed or
+  sensitive information being disclosed.
+
+  ### Patches
+
+  Update Recommendation: Users should upgrade to Trix editor
+  version 2.1.16 or later.
+
+  ### Resources
+
+  The XSS vulnerability was reported by HackerOne researcher
+  [michaelcheers](https://hackerone.com/michaelcheers?type=user).
+cvss_v3: 4.6
+patched_versions:
+  - ">= 2.1.16"
+related:
+  url:
+    - https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
+    - https://github.com/basecamp/trix/releases/tag/v2.1.16
+    - https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
+    - https://github.com/advisories/GHSA-g9jg-w8vm-g96v