Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1nbXZ2LXJqOTItOXczNc4ABKa2

Moderate CVSS: 5.3 EPSS: 0.00171% (0.39043 Percentile) EPSS:
Permalink JSON

Aim vulnerable to Cross-site Scripting

Affected Packages Affected Versions Fixed Versions
pypi:aim <= 3.30.0.dev20250611 No known fixed version
18 Dependent packages
136 Dependent repositories
140,853 Downloads last month

Affected Version Ranges

All affected versions

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

References:

Identifiers

GHSA-gmvv-rj92-9w35

CVE-2025-51464

Risk

Severity

Moderate

CVSS

CVSS Score: 5.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00171

EPSS Percentile: 0.39043

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/aimhubio/aim

Date and time

Published

7 days ago

Updated

7 days ago

API

JSON