Description
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg
Scores
CVSS v3
7.6
EPSS
0.0002
EPSS Percentile
5.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
aimeos/ai-cms-grapesjs
2021.04.1 - 2021.10.8Packagist
aimeos/grapesjs_cms
2021.04.1 - 2021.10.8
Published
Dec 02, 2025
Tracked Since
Feb 18, 2026