Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-25062Cross-site Scripting in Backdrop

CWE-79Cross-site ScriptingCWE-416Use After Free5 documents5 sources
Severity
4.4MEDIUMNVD
EPSS
24.6%
top 3.86%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Backdropcms BackdropBackdropcms Backdrop CMS
Timeline
PublishedFeb 3

Description

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5backdropcms/backdrop1.28.01.28.5+1
NVDbackdropcms/backdrop_cms1.28.01.28.5+1

🔴Vulnerability Details

2
CVEList
CVE-2025-25062: An XSS issue was discovered in Backdrop CMS 12025-02-03
GHSA
GHSA-vrh8-g8q9-jhc6: An XSS issue was discovered in Backdrop CMS 12025-02-03

💥Exploits & PoCs

1
Nuclei
Backdrop CMS - Cross-Site Scripting

📋Vendor Advisories

1
Microsoft
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled processing crafted XML documents can l2024-02-13
CVE-2025-25062 — Cross-site Scripting in Backdrop | cvebase