How to fix CVE-2025-25062?

During next maintenance window: Identify affected systems running Backdrop CMS 1.28.x and apply vendor patches when convenient. Verify Content-Security-Policy and output encoding.

Is Backdrop Cms affected by CVE-2025-25062?

Organizations using Backdrop CMS 1.28.x should be aware of moderate risk from CVE-2025-25062, a cross-site scripting vulnerability rated CVSS 4.4. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

Backdrop Cms CVE-2025-25062

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-02-03 [email protected]

XSS Backdrop Cms

4.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:06 vuln.today

PoC Detected

Jan 23, 2026 - 18:46 vuln.today

Public exploit code

CVE Published

Feb 03, 2025 - 04:15 nvd

MEDIUM 4.4

DescriptionNVD

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module.

AnalysisAI

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 26.5%.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module. Affected products include: Backdropcms Backdrop Cms. Version information: before 1.28.5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-25062 vulnerability details – vuln.today

Back