Description

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

INFO

Published Date :

2025-07-22T00:00:00.000Z

Last Modified :

2025-07-22T18:18:12.170Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-51464 vulnerability.

Vendors Products
Aimhubio
  • Aim
Aimstack
  • Aim
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-51464.

URL Resource
https://github.com/aimhubio/aim cve-icon cve-icon
https://github.com/aimhubio/aim/pull/3333 cve-icon cve-icon
https://www.gecko.security/blog/cve-2025-51464 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact