CVE-2025-54384

Published: Oct 29, 2025

Modified: Oct 29, 2025

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4.

Vendor	Product	Versions
ckan	ckan	affected `>= 2.11.0, < 2.11.4` affected `< 2.10.9`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://github.com/ckan/ckan/security/advisories/GHSA-2r4h-8jxv-w2j8

x_refsource_CONFIRM

https://github.com/ckan/ckan/commit/6d0065f2fc7e2682196d125275af34b93e9e554e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-54384

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References