Quill CVE-2025-15056 HTML导出XSS漏洞分析

Quill 2.0.3 - Lack of data validation in HTML export allowing XSS Key Information Severity: 5.1 (Medium) Discovered by: Cristian Vargas (Offensive Team, Fluid Attacks) Release Date: Jan 13, 2026 Affected Product: Quill CVE ID: CVE-2025-15056 Exploit Available: No Vulnerability Details Root Cause: Embedded elements interpolate user-controlled values directly into HTML strings returned by without escaping or sanitization. Vulnerable Export Path: → uses blot-provided HTML if exists. Vulnerable Blots: - → : Returns (unescaped). - → : Returns (unescaped). PoC Host the provided HTML code in a web server. The formula and video values are controlled by user input. Specific values can break the expected markup and inject malicious attributes. Timeline Dec 19, 2025: Vulnerability discovered Dec 23, 2025: Vendor contacted Jan 13, 2026: Public disclosure References GitHub Repository

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Quill CVE-2025-15056 HTML导出XSS漏洞分析

目标达成感谢每一位支持者 — 我们达成了 100% 目标！