CVE-2025-51464HIGH 8.8EPSS p42.9%

CVE-2025-51464CVE-2025-51464

Description

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.9% · 2026-06-18T12:00:27Z
Published2025-07-22
Last modified2025-09-11

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/aimhubio/aim
  2. https://github.com/aimhubio/aim/pull/3333
  3. https://www.gecko.security/blog/cve-2025-51464

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5321
CVE
CVE-2026-35466
CVE
CVE-2026-49384
CVE
CVE-2025-40892
CVE
CVE-2025-55346
CVE
CVE-2025-51534
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.