CVE-2025-54384
published 2025-10-29CVE-2025-54384: CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract()…
PriorityP434medium6.3CVSS 3.1
AVNACLPRLUIRSUCHILAN
EPSS
0.20%
10.5th percentile
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ckan | ckan | < 2.10.9 | 2.10.9 |
| ckan | ckan | — | — |
| ckan | ckan | >= 0 < 2.10.9 | 2.10.9 |
| ckan | ckan | >= 2.11.0 < 2.11.4 | 2.11.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CKAN vulnerable to stored XSS in resource description
ghsa·2025-10-29
CVE-2025-54384 [MEDIUM] CWE-79 CKAN vulnerable to stored XSS in resource description
CKAN vulnerable to stored XSS in resource description
### Impact
The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector.
### Patches
This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4
OSV
CKAN vulnerable to stored XSS in resource description
osv·2025-10-29
CVE-2025-54384 [MEDIUM] CKAN vulnerable to stored XSS in resource description
CKAN vulnerable to stored XSS in resource description
### Impact
The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector.
### Patches
This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-29
Published