CVE-2025-51464

Name of the Vulnerable Software and Affected Versions aimhubio Aim versions 3.28.0

Description A cross-site scripting (XSS) issue exists in aimhubio Aim 3.28.0. Remote attackers can execute arbitrary JavaScript in a victim’s browser by submitting malicious Python code to the /api/reports endpoint. The submitted Python code is interpreted and executed by Pyodide when the report is viewed. Insufficient sanitisation or sandbox restrictions allow JavaScript execution via pyodide.code.run js().

Recommendations aimhubio Aim version 3.28.0: As a temporary workaround, consider restricting access to the /api/reports endpoint to minimize the risk of exploitation.