High severity8.8NVD Advisory· Published Jul 22, 2025· Updated Jun 17, 2026
CVE-2025-51464
CVE-2025-51464
Description
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aimPyPI | <= 3.30.0.dev20250611 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/aimhubio/aim/pull/3333nvdExploitIssue TrackingWEB
- www.gecko.security/blog/cve-2025-51464nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-gmvv-rj92-9w35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-51464ghsaADVISORY
News mentions
0No linked articles in our index yet.