CVE-2025-66468

EUVD-2025-200307
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.6 HIGH
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
aimeosgrapesjs_cms
2021.04.1 ≤
𝑥
< 2021.10.8
aimeosgrapesjs_cms
2022.04.1 ≤
𝑥
< 2022.10.9
aimeosgrapesjs_cms
2023.04.1 ≤
𝑥
< 2023.10.15
aimeosgrapesjs_cms
2024.04.1 ≤
𝑥
< 2024.10.8
aimeosgrapesjs_cms
2025.04.1 ≤
𝑥
< 2025.10.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042
https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg