cbcvebase.
CVE-2025-54384
published 2025-10-29

CVE-2025-54384: CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract()…

PriorityP434medium6.3CVSS 3.1
AVNACLPRLUIRSUCHILAN
EPSS
0.20%
10.5th percentile
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
ckanckan< 2.10.92.10.9
ckanckan
ckanckan>= 0 < 2.10.92.10.9
ckanckan>= 2.11.0 < 2.11.42.11.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.