CVE-2025-66468 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting the Aimeos ai-cms-grapesjs extension, a CMS page editor used for creating content pages with extensible components. The vulnerability exists in versions prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, across multiple release lines. The root cause is improper neutralization of input during web page generation, allowing malicious editors to inject arbitrary JavaScript code into stored content. This injected script executes in the context of users viewing the compromised pages, potentially leading to session hijacking, credential theft, or further exploitation of the web application. The attack requires that the standard Content Security Policy (CSP) be disabled, which otherwise would mitigate script injection. Exploitation requires authenticated editor privileges and user interaction to trigger the malicious payload. The vulnerability has a CVSS v3.1 score of 7.7, reflecting high impact on confidentiality, integrity, and availability, with attack vector being network-based but requiring high privileges and user interaction. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to organizations using affected versions of the Aimeos ai-cms-grapesjs CMS extension, especially those that have disabled or weakened CSP configurations. The issue is fixed in the specified 10.x.x patch releases for each affected year/version line.

For European organizations, this vulnerability can lead to severe consequences including unauthorized access to sensitive data, session hijacking, defacement of web content, and potential pivoting to internal networks. Since the vulnerability allows execution of arbitrary JavaScript in the context of the affected web application, attackers can steal authentication tokens, manipulate user sessions, and perform actions on behalf of legitimate users. This is particularly critical for e-commerce platforms and content management systems that handle personal data and payment information, increasing risks of data breaches and regulatory non-compliance under GDPR. The requirement for authenticated editor privileges limits exposure but insider threats or compromised editor accounts can be exploited. Disabling or misconfiguring CSP, which is a common practice in some deployments, significantly increases risk. The impact extends to brand reputation damage and potential financial losses due to fraud or remediation costs. Given the widespread use of Aimeos in European e-commerce and CMS solutions, the threat is material and demands urgent remediation.

1. Immediately upgrade affected Aimeos ai-cms-grapesjs installations to the fixed versions: 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, or 2025.10.8 as applicable. 2. Enforce a strict Content Security Policy (CSP) that disallows inline scripts and restricts script sources to trusted domains, preventing execution of injected JavaScript. 3. Limit editor privileges strictly to trusted personnel and implement multi-factor authentication (MFA) for editor accounts to reduce risk of account compromise. 4. Conduct regular security audits and code reviews of CMS content inputs to detect and sanitize potentially malicious content. 5. Monitor web application logs for unusual editor activity or injection attempts. 6. Educate content editors about the risks of injecting untrusted content and enforce input validation at the application level. 7. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the CMS. 8. Regularly review and update security policies related to CSP and user privilege management to maintain defense-in-depth.