CVE-2025-64501 - ProsemirrorToHtml: Cross-Site Scripting vulnerability through unescaped HTML att...

CVE ID : CVE-2025-64501 Published : Nov. 10, 2025, 10:15 p.m. | 1 hour, 15 minutes ago Description : ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the `prosemirror_to_html` gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use `prosemirror_to_html` to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1. Severity: 7.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...