CVE-2025-66468

high

Description

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

References

https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg

https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042

Details

Source: Mitre, NVD

Published: 2025-12-02

Updated: 2025-12-02

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.6

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00038