Description
A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).

This issue affects Quill: 2.0.3.
Published: 2026-01-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via unvalidated HTML export
Action: Apply Patch
AI Analysis

Impact

Quill’s HTML export feature fails to validate injectable content, which allows an attacker to insert malicious script tags into an export file. When a user opens the resulting HTML document in a browser, the embedded JavaScript runs in the victim’s context, giving the attacker the ability to steal session information, deface content, or perform other malicious actions in the user’s browser. The weakness is identified by CWE‑79 (Improper Neutralization of Input in a Web Page).

Affected Systems

The vulnerability affects the Quill library version 2.0.3 released by Slab. It is present in all supported environments for that version, including Node.js deployments, and installations on Linux, macOS, and Windows.

Risk and Exploitability

The CVSS v3 score of 5.1 indicates a moderate severity level. The EPSS score being less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted export file and persuade a user to open it in a browser that renders the HTML, making it a local or user‑interaction‑based attack vector.

Generated by OpenCVE AI on April 20, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quill to the latest available version that includes the export validation fix
  • If upgrading is not immediately possible, enforce strict validation or rejection of untrusted content before generating an HTML export, or disable the export feature entirely
  • Implement a Content Security Policy that blocks inline scripts and restricts script execution to trusted origins

Generated by OpenCVE AI on April 20, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v3m3-f69x-jf25 Quill is vulnerable to XSS via HTML export feature
History

Mon, 20 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-74

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
CPEs cpe:2.3:a:slab:quill:2.0.3:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3.
Title Quill 2.0.3 - Lack of data validation in HTML export allowing XSS
First Time appeared Slab
Slab quill
Weaknesses CWE-74
CPEs cpe:2.3:a:slab:quill:2.0.3:*:linux:*:*:*:*:*
cpe:2.3:a:slab:quill:2.0.3:*:macos:*:*:*:*:*
cpe:2.3:a:slab:quill:2.0.3:*:windows:*:*:*:*:*
Vendors & Products Slab
Slab quill
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Slab Quill
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-04-20T14:10:18.123Z

Reserved: 2025-12-23T18:21:36.039Z

Link: CVE-2025-15056

cve-icon Vulnrichment

Updated: 2026-01-13T21:27:50.983Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T21:15:49.720

Modified: 2026-04-20T16:16:40.413

Link: CVE-2025-15056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses