resolved
Stored XSS on Trix Editor version latest (2.1.16) - Sanitizer Bypass
Bug reported by jeeva was disclosed at July 14, 2026, 7:26 pm | Cross-site Scripting (XSS) - Stored
A vulnerability was discovered in Trix Editor version 2.1.16 that allowed for a Stored Cross-Site Scripting (XSS) attack. The vulnerability arose from an unsafe interaction between Trix's custom DOMPurify configuration and its document serialization logic. The issue was caused by Trix's use of the "data-trix-serialized-attributes" attribute, which was not properly sanitized during the serialization process, allowing an attacker to inject malicious JavaScript code. The vulnerability was deemed a direct bypass of previously reported Trix Editor vulnerabilities.
resolved
bedrock-mantle.api.aws accepts Bedrock API keys outside the IAM Deny, CloudTrail signal, and invocation logging AWS publishes for Bedrock keys
Bug reported by Sergio Garcia was disclosed at July 14, 2026, 6:52 pm | Insecure Default Initialization of Resource
A second Bedrock API key-accepting service plane called "bedrock-mantle" was discovered. This plane was not described in AWS's customer-facing Bedrock documentation. As a result, the AWS-published security controls to detect and prevent Bedrock API key abuse failed to apply to the bedrock-mantle plane. Specifically, the IAM deny policy, CloudTrail detection signal, and model invocation logging configuration were all found to be ineffective against the bedrock-mantle plane.