Cross-Site Scripting Flaw in Aim by Aimhubio
CVE-2025-51464

8.8HIGH

Key Information:

Vendor: Aimhubio
Status: Aim
Vendor: CVE Published:; 22 July 2025

What is CVE-2025-51464?

A vulnerability in Aim 3.28.0 allows remote attackers to exploit an XSS flaw. By submitting malicious Python code to the /api/reports endpoint, attackers can execute arbitrary JavaScript in the browsers of victims when the reports are viewed. The lack of proper sanitization and the absence of sandbox restrictions enable the execution of harmful scripts through Pyodide's JS execution functionality, posing significant risks for users.

References

https://github.com/aimhubio/aim

https://github.com/aimhubio/aim/pull/3333

https://www.gecko.security/blog/cve-2025-51464

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2025
Vulnerability Reserved
Jun 16, 2025

JSON