CVE-2025-66468

Summary

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

Affected Software

VendorProductVersion RangeStatus
aimeosai-cms-grapesjs>= 2021.04.1, < 2021.10.8affected
aimeosai-cms-grapesjs>= 2022.04.1, < 2022.10.9affected
aimeosai-cms-grapesjs>= 2023.04.1, < 2023.10.15affected
aimeosai-cms-grapesjs>= 2024.04.1, < 2024.10.8affected
aimeosai-cms-grapesjs>= 2025.04.1, < 2025.10.2affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References