How to fix CVE-2025-66468?

Within 24 hours: Verify your Aimeos CMS version and determine if CSP is enabled in your production environment. Within 7 days: Apply the available patch to upgrade to versions 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, or 2025.10.8 depending on your current release line, or implement strict Content Security Policy headers if patching is delayed. Within 30 days: Conduct a security audit of existing page content to identify any injected malicious code and review editor access permissions to limit who can create or modify pages.

Is Grapesjs Cms affected by CVE-2025-66468?

A stored cross-site scripting (XSS) vulnerability in the Aimeos GrapesJS CMS extension allows malicious content editors to inject harmful JavaScript code into pages, potentially compromising website visitors and enabling credential theft or malware distribution.

CVE-2025-66468

EUVD-2025-200307 HIGH

2025-12-02 [email protected]

GHSA-424m-fj2q-g7vg

XSS Grapesjs Cms

7.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200307

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

Patch Released

Mar 15, 2026 - 14:04 nvd

Patch available

CVE Published

Dec 02, 2025 - 19:15 nvd

HIGH 7.6

DescriptionNVD

The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.

AnalysisAI

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2025-66468 vulnerability details – vuln.today

Back

CVE-2025-66468

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code