Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rqgm-8gsj-qbeg
Vulnerability ID VCID-rqgm-8gsj-qbeg
Aliases CVE-2025-51464
GHSA-gmvv-rj92-9w35
Summary Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
Status Published
Exploitability 0.5
Weighted Severity 7.9
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01878 https://api.first.org/data/v1/epss?cve=CVE-2025-51464
epss 0.01878 https://api.first.org/data/v1/epss?cve=CVE-2025-51464
cvssv3.1 8.8 https://github.com/aimhubio/aim
cvssv4 5.3 https://github.com/aimhubio/aim
generic_textual MODERATE https://github.com/aimhubio/aim
ssvc Track* https://github.com/aimhubio/aim
cvssv3.1 8.8 https://github.com/aimhubio/aim/pull/3333
cvssv4 5.3 https://github.com/aimhubio/aim/pull/3333
generic_textual MODERATE https://github.com/aimhubio/aim/pull/3333
ssvc Track* https://github.com/aimhubio/aim/pull/3333
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-51464
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-51464
cvssv3.1 8.8 https://www.gecko.security/blog/cve-2025-51464
cvssv4 5.3 https://www.gecko.security/blog/cve-2025-51464
generic_textual MODERATE https://www.gecko.security/blog/cve-2025-51464
ssvc Track* https://www.gecko.security/blog/cve-2025-51464
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-51464
https://nvd.nist.gov/vuln/detail/CVE-2025-51464
3333 https://github.com/aimhubio/aim/pull/3333
aim https://github.com/aimhubio/aim
cve-2025-51464 https://www.gecko.security/blog/cve-2025-51464
GHSA-gmvv-rj92-9w35 https://github.com/advisories/GHSA-gmvv-rj92-9w35
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/aimhubio/aim
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/aimhubio/aim
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/ Found at https://github.com/aimhubio/aim
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/aimhubio/aim/pull/3333
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/aimhubio/aim/pull/3333
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/ Found at https://github.com/aimhubio/aim/pull/3333
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-51464
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.gecko.security/blog/cve-2025-51464
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://www.gecko.security/blog/cve-2025-51464
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/ Found at https://www.gecko.security/blog/cve-2025-51464
Exploit Prediction Scoring System (EPSS)
Percentile 0.83544
EPSS Score 0.01878
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:59:10.108334+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/51xxx/CVE-2025-51464.json 38.6.0