CVE-2025-66468 Overview
CVE-2025-66468 is a stored cross-site scripting (XSS) vulnerability in the Aimeos GrapesJS CMS extension. The extension provides a page editor for building content pages from extensible components. Malicious editors can inject JavaScript code that is stored and executed when other users render the affected page. Exploitation requires the standard Content Security Policy (CSP) to be disabled, which weakens the default mitigation against client-side injection. The flaw is tracked under [CWE-79] and affects all versions prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
Critical Impact
Authenticated editors can store JavaScript payloads that execute in other users' browsers, enabling session hijacking, content defacement, and credential theft when CSP is disabled.
Affected Products
- Aimeos GrapesJS CMS prior to 2021.10.8
- Aimeos GrapesJS CMS prior to 2022.10.8, 2023.10.8, and 2024.10.8
- Aimeos GrapesJS CMS prior to 2025.10.8
Discovery Timeline
- 2025-12-02 - CVE-2025-66468 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2025-66468
Vulnerability Analysis
The Aimeos GrapesJS CMS extension accepts rich HTML content from editors through its page builder interface. Before the patched releases, the Standard.php content handler in src/Admin/JQAdm/Cms/Content/ stored editor-supplied HTML without sanitization. An editor with content management permissions can embed <script> tags, event handlers, or other JavaScript constructs within the text.content field. The stored payload executes whenever a visitor loads the rendered page in a browser. Impact is amplified when administrators or other editors view affected pages, because their session context is exposed to the attacker-controlled script.
Root Cause
The root cause is missing output and storage sanitization for editor-supplied HTML content. The application relied on the standard Content Security Policy to suppress inline script execution rather than stripping dangerous markup at the data layer. When operators disable or relax the CSP, the unsanitized HTML is rendered as-is. This is a classic defense-in-depth failure described by [CWE-79]: Improper Neutralization of Input During Web Page Generation.
Attack Vector
The attack requires network access to the CMS backend and an authenticated editor account. The attacker creates or edits a content page, places a JavaScript payload into a text component, and saves the page. Victims trigger the payload by visiting the page in any browser session where CSP is not enforced. User interaction is required for execution, and the scope changes because the script runs in the context of a different security domain.
// Patch from src/Admin/JQAdm/Cms/Content/Standard.php
foreach( $data as $idx => $entry )
{
if( !( $content = trim( $this->val( $entry, 'text.content', '' ) ) ) ) {
continue;
}
$config = \HTMLPurifier_Config::createDefault();
$config->set( 'Attr.AllowedFrameTargets', ['_blank', '_self'] );
$purifier = new \HTMLPurifier( $config );
$entry['text.content'] = $purifier->purify( $content );
$id = $this->val( $entry, 'text.id', '' );
$type = $this->val( $entry, 'cms.lists.type', 'default' );
}
Source: Aimeos GitHub commit 2214f71
Detection Methods for CVE-2025-66468
Indicators of Compromise
- Stored CMS content containing <script> tags, javascript: URIs, or DOM event handlers such as onerror, onload, or onmouseover in the text.content field.
- Editor accounts modifying multiple pages in a short window with payloads referencing external script hosts.
- Browser console errors or CSP report-only violations originating from CMS-rendered pages.
Detection Strategies
- Query the mshop_text table or equivalent storage for HTML fragments containing script tags, inline event handlers, or encoded JavaScript patterns.
- Review web server access logs for editor session activity correlated with POST requests to the admin/jqadm/cms/content endpoint.
- Enable CSP report-uri or report-to directives in a non-production environment to surface inline script attempts during content rendering.
Monitoring Recommendations
- Audit role-based access to the GrapesJS editor and review the change history for content updates by privileged users.
- Alert on disabled or weakened CSP headers across CMS responses, particularly the absence of script-src restrictions.
- Track repeated authentication failures or anomalous logins for editor accounts that could indicate account takeover preceding XSS injection.
How to Mitigate CVE-2025-66468
Immediate Actions Required
- Upgrade the Aimeos GrapesJS CMS extension to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, or 2025.10.8 depending on the deployed branch.
- Re-enable and enforce the default Content Security Policy in front-end and admin contexts.
- Audit existing CMS content for stored JavaScript payloads and purge or sanitize affected entries.
Patch Information
The maintainers fixed the issue by adding the ezyang/htmlpurifier dependency and routing editor-supplied HTML through HTMLPurifier before storage. The patch is available in commit 2214f71ac27cdea25f11c8adf6bb5816db47a042 and described in GHSA-424m-fj2q-g7vg.
Workarounds
- Keep the standard Content Security Policy enabled to block inline script execution until the patched version is deployed.
- Restrict GrapesJS editor permissions to trusted users and apply the principle of least privilege for content management roles.
- Apply server-side HTML sanitization through a reverse proxy or web application firewall rule that strips <script> tags and inline event handlers from CMS submissions.
# Update composer.json to pull patched releases
composer require aimeos/ai-cms-grapesjs:^2025.10.8
composer require ezyang/htmlpurifier:^4.19
composer update aimeos/ai-cms-grapesjs ezyang/htmlpurifier
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

