GetmeUK ContentTools Image cross site scripting
Description
A vulnerability was found in GetmeUK ContentTools up to 1.6.16. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Image Handler. The manipulation of the argument onload leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-2699 is a stored XSS vulnerability in GetmeUK ContentTools ≤1.6.16 via the onload attribute in the Image Handler, with a public exploit and no vendor patch.
Description
CVE-2025-2699 is a stored cross-site scripting (XSS) vulnerability in GetmeUK ContentTools, a JavaScript library for building WYSIWYG editors, version 1.6.16 and earlier. The flaw resides in an unknown function of the Image Handler component, where the onload argument is improperly sanitized, allowing an attacker to inject arbitrary JavaScript through image elements [1][3].
Exploitation
An attacker can remotely exploit this vulnerability by injecting a malicious onload event handler into an image tag, which executes when the image loads. The attack does not require authentication if the editor is publicly accessible (as on the project's demo page). A proof-of-concept demonstrating the injection of an onload attribute in an `` tag has been publicly disclosed, making exploitation straightforward [3].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session when they interact with or view the malicious content. This can lead to session hijacking, data theft, or defacement within the editor's application domain [1].
Mitigation
The vendor, GetmeUK, was contacted early but has not responded or released a patch. Users of affected versions (≤1.6.16) should disable the Image Handler component or apply input validation filtering on the onload attribute as a temporary workaround. No fix is currently available, and the vulnerability remains unpatched [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ContentToolsnpm | <= 1.6.16 | — |
Affected products
2- Range: <=1.6.16
- GetmeUK/ContentToolsv5Range: 1.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- gist.github.com/Masamuneee/657f2e2b0eb5bf9b0d4dbb79f00dac37ghsaexploitWEB
- github.com/advisories/GHSA-4f2v-2gpq-qhjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-2699ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.