CVE-2025-54384
MEDIUM EPSS 10.5%
Published Oct 29, 20258mo ago · Modified Jun 17, 20262w ago
6.3 CVSS 3.1
Published Oct 29, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago
Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages (plus any page provided by an extension that used that helper function), leading to a potential XSS vector. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
10.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
References 2
- github.com https://github.com/ckan/ckan/commit/6d0065f2fc7e2682196d125275af34b93e9e554e
- github.com https://github.com/ckan/ckan/security/advisories/GHSA-2r4h-8jxv-w2j8
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.