{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15056", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-12-23T18:21:36.039Z", "datePublished": "2026-01-13T20:39:29.627Z", "dateUpdated": "2026-04-20T14:10:18.123Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "quill", "platforms": ["Linux", "MacOS", "Windows"], "product": "Quill", "vendor": "Slab", "versions": [{"status": "affected", "version": "2.0.3"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:linux:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:windows:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Cristian Vargas"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).</p><p>This issue affects Quill: 2.0.3.</p>"}], "value": "A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).\n\nThis issue affects Quill: 2.0.3."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-04-20T14:10:18.123Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/diomedes"}, {"tags": ["product"], "url": "https://github.com/slab/quill"}], "source": {"discovery": "UNKNOWN"}, "title": "Quill 2.0.3 - Lack of data validation in HTML export allowing XSS", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T21:27:41.232640Z", "id": "CVE-2025-15056", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:27:56.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15056", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T21:27:41.232640Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T21:27:50.983Z"}}], "cna": {"title": "Quill 2.0.3 - Lack of data validation in HTML export allowing XSS", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Cristian Vargas"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Slab", "product": "Quill", "versions": [{"status": "affected", "version": "2.0.3"}], "platforms": ["Linux", "MacOS", "Windows"], "packageName": "quill", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/diomedes", "tags": ["third-party-advisory"]}, {"url": "https://github.com/slab/quill", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).\n\nThis issue affects Quill: 2.0.3.", "supportingMedia": [{"type": "text/html", "value": "<p>A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).</p><p>This issue affects Quill: 2.0.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:linux:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:windows:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-04-20T14:10:18.123Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15056", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:10:18.123Z", "dateReserved": "2025-12-23T18:21:36.039Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2026-01-13T20:39:29.627Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:slab:quill:2.0.3:*:*:*:*:node.js:*:*", "matchCriteriaId": "46DD2317-B985-4018-B219-BCF5886E165C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).\n\nThis issue affects Quill: 2.0.3."}, {"lang": "es", "value": "Una vulnerabilidad por falta de validaci\u00f3n de datos en la funci\u00f3n de exportaci\u00f3n HTML en Quill permite cross-site scripting (XSS).\n\nEste problema afecta a Quill: 2.0.3."}], "id": "CVE-2025-15056", "lastModified": "2026-04-20T16:16:40.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-01-13T21:15:49.720", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/diomedes"}, {"source": "help@fluidattacks.com", "tags": ["Product"], "url": "https://github.com/slab/quill"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "help@fluidattacks.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:51:30.479105+00:00", "value": {"mitigation_remediation": ["Upgrade Quill to the latest available version that includes the export validation fix", "If upgrading is not immediately possible, enforce strict validation or rejection of untrusted content before generating an HTML export, or disable the export feature entirely", "Implement a Content Security Policy that blocks inline scripts and restricts script execution to trusted origins"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011site scripting via unvalidated HTML export"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Quill library version 2.0.3 released by Slab. It is present in all supported environments for that version, including Node.js deployments, and installations on Linux, macOS, and Windows.", "description_and_impact": "Quill\u2019s HTML export feature fails to validate injectable content, which allows an attacker to insert malicious script tags into an export file. When a user opens the resulting HTML document in a browser, the embedded JavaScript runs in the victim\u2019s context, giving the attacker the ability to steal session information, deface content, or perform other malicious actions in the user\u2019s browser. The weakness is identified by CWE\u201179 (Improper Neutralization of Input in a Web Page).", "risk_and_exploitability": "The CVSS v3 score of 5.1 indicates a moderate severity level. The EPSS score being less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted export file and persuade a user to open it in a browser that renders the HTML, making it a local or user\u2011interaction\u2011based attack vector."}}}}, "created": "2026-04-20T16:00:10.648175+00:00", "updated": "2026-04-20T19:00:10.686857+00:00", "vendors": []}