CVE-2025-25062

Name of the Vulnerable Software and Affected Versions: Backdrop CMS versions 1.28.x through 1.28.4 Backdrop CMS versions 1.29.x through 1.29.2

Description: A cross-site scripting (XSS) issue was discovered in Backdrop CMS when using the CKEditor 5 rich text editor. The issue arises because the system does not sufficiently isolate long text content, allowing a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This issue is mitigated by the fact that an attacker must have the ability to create long text content and an administrator must edit the content that contains the malicious content.

Recommendations: For Backdrop CMS versions 1.28.x through 1.28.4, update to version 1.28.5 or later. For Backdrop CMS versions 1.29.x through 1.29.2, update to version 1.29.3 or later. As a temporary workaround, consider disabling the CKEditor 5 module until a patch is available. Restrict access to the node or comment forms to minimize the risk of exploitation.