GHSA-2mx6-fq24-g2mh: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in ibexa/admin-ui, identified as GHSA-2mx6-fq24-g2mh, affecting versions >= 5.0.0, < 5.0.3 and >= 4.6.0, < 4.6.25. The vulnerability was published and updated on October 17, 2025, impacting the Cancel/Reschedule future publication modal in the back office of the DXP system (GitHub Advisory, Ibexa Advisory).

The vulnerability is classified with a CVSS v4 base score of 4.8 (Moderate severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The issue is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in multiple components including image asset names, content language names, and future publishing functionality (GitHub Advisory).

The vulnerability allows for persistent XSS attacks that can affect both back office and front office users. When successfully exploited, injected XSS could persist in the system and potentially be reflected in the front office, impacting end users. The attack requires back office access with editing and management permissions, typically at the Editor or Administrator role level (Miggo).

The vulnerability has been patched in versions 5.0.3 and 4.6.25 of ibexa/admin-ui. The fixes implement proper XSS escaping mechanisms, rendering any existing injected XSS harmless. No workarounds are available, and users are advised to upgrade to the patched versions (Ibexa Advisory).