What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Coyier CodePen Embed Block codepen-embed-block allows Stored XSS.This issue affects CodePen Embed Block: from n/a through <= 1.2.0.
Explanation of Vulnerability in Simple Terms
02Summary
The CodePen Embed Block contains a cross-site scripting (XSS) vulnerability that allows an authenticated user with high privileges to inject malicious scripts. An attacker must have administrator-level access and trick a user into visiting a crafted page. The injected script executes in the victim's browser with their permissions, potentially compromising site data or user accounts.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in a user's browser when they view an affected page.
Potential impact on your site
04Site Impact
An admin attacker can steal session tokens, modify site content, or compromise user accounts of anyone viewing the affected page.
Conditions required to exploit
05Prerequisites
Administrator access to the site and user interaction (victim must visit the crafted page).
Key dates
06Disclosure timeline
June 20, 2025
CVE published
April 28, 2026
Record updated