CVE-2025-51464 Information
Jul 23, 2025
cve
Description
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
Reference
https://github.com/aimhubio/aim https://github.com/aimhubio/aim/pull/3333 https://www.gecko.security/blog/cve-2025-51464
Related CNNVD
CNNVD-202507-2909 (Published: 2025-07-22)
Share on: