CVE-2025-51464

Published: Jul 22, 2025

Modified: Jul 22, 2025

PUBLISHED

Description

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/aimhubio/aim

https://github.com/aimhubio/aim/pull/3333

https://www.gecko.security/blog/cve-2025-51464

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-51464

Description

Affected Products

References