Medium severity4.9NVD Advisory· Published Apr 26, 2025· Updated Apr 15, 2026

CVE-2025-46655

Description

CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/hackmdio/codimd/issues/1910nvd
github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.mdnvd

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000