CVE-2025-25063

Name of the Vulnerable Software and Affected Versions: Backdrop CMS versions 1.28.x through 1.28.4 Backdrop CMS versions 1.29.x through 1.29.2

Description: A security issue was discovered related to the validation of uploaded SVG images. These images can contain clickable links and executable scripting. An attacker could potentially execute scripting in the browser when an SVG image is viewed directly by its URL. However, the attacker must have the ability to upload SVG images, and the scripting is prevented from executing when the SVG is embedded within <img> tags.

Recommendations: For Backdrop CMS versions 1.28.x through 1.28.4, update to version 1.28.5 or later. For Backdrop CMS versions 1.29.x through 1.29.2, update to version 1.29.3 or later.