GHSA-gmvv-rj92-9w35
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gmvv-rj92-9w35
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-gmvv-rj92-9w35/GHSA-gmvv-rj92-9w35.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-gmvv-rj92-9w35
- Aliases
-
- CVE-2025-51464
- Published
- 2025-07-22T18:30:42Z
- Modified
- 2025-07-22T21:12:17.638398Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Aim vulnerable to Cross-site Scripting
- Details
-
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2025-07-22T20:48:43Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2025-07-22T18:15:36Z" }- References
Affected packages
PyPI / aim
Package
- Name
- aim
- View open source insights on deps.dev
- Purl
- pkg:pypi/aim
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected3.30.0.dev20250611
Affected versions
2.*
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.4.0
3.4.1
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0
3.6.1
3.6.2
3.6.3
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.8.0
3.8.1
3.9.0a1
3.9.0a14
3.9.2
3.9.3
3.9.4
3.10.0.dev9
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0.dev4
3.11.0
3.11.1.dev1
3.11.1
3.11.2
3.12.0.dev2
3.12.0
3.12.1
3.12.2
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.14.0
3.14.1
3.14.2
3.14.3
3.14.4
3.15.0
3.15.1
3.15.2
3.16.0
3.16.1
3.16.2
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5rc1
3.17.5rc2
3.17.5rc3
3.17.5rc4
3.17.5
3.18.0.dev2
3.18.0.dev3
3.18.0.dev4
3.18.0.dev5
3.18.0
3.18.1
3.19.0
3.19.1
3.19.2
3.19.3
3.20.1
3.21.0
3.22.0
3.23.0
3.24.0
3.25.0
3.25.1
3.26.0.dev1
3.26.1
3.27.0
3.28.0
3.29.0.dev20250321
3.29.0.dev20250322
3.29.0.dev20250323
3.29.0.dev20250324
3.29.0.dev20250327
3.29.0.dev20250328
3.29.0.dev20250329
3.29.0.dev20250330
3.29.0.dev20250331
3.29.0.dev20250401
3.29.0.dev20250402
3.29.0.dev20250403
3.29.0.dev20250404
3.29.0.dev20250405
3.29.0.dev20250406
3.29.0.dev20250407
3.29.0.dev20250408
3.29.0.dev20250409
3.29.0.dev20250410
3.29.0.dev20250411
3.29.0.dev20250412
3.29.0.dev20250413
3.29.0.dev20250414
3.29.0.dev20250415
3.29.0.dev20250416
3.29.0.dev20250417
3.29.0.dev20250418
3.29.0.dev20250419
3.29.0.dev20250420
3.29.0
3.29.1
3.30.0.dev20250508
3.30.0.dev20250509
3.30.0.dev20250510
3.30.0.dev20250511
3.30.0.dev20250512
3.30.0.dev20250513
3.30.0.dev20250514
3.30.0.dev20250515
3.30.0.dev20250516
3.30.0.dev20250517
3.30.0.dev20250518
3.30.0.dev20250519
3.30.0.dev20250520
3.30.0.dev20250521
3.30.0.dev20250522
3.30.0.dev20250523
3.30.0.dev20250524
3.30.0.dev20250525
3.30.0.dev20250526
3.30.0.dev20250527
3.30.0.dev20250528
3.30.0.dev20250529
3.30.0.dev20250530
3.30.0.dev20250531
3.30.0.dev20250601
3.30.0.dev20250602
3.30.0.dev20250603
3.30.0.dev20250604
3.30.0.dev20250605
3.30.0.dev20250606
3.30.0.dev20250607
3.30.0.dev20250608
3.30.0.dev20250609
3.30.0.dev20250610
3.30.0.dev20250611