CVE-2025-66468 HIGH

CVE-2025-66468: Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors

Vendor Aimeos
Product ai-cms-grapesjs
Weakness CWE-79 · XSS
Published December 2, 2025
Last update December 2, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

Key dates

02Disclosure timeline

December 2, 2025 CVE published
December 2, 2025 Record updated