GHSA-2mx6-fq24-g2mh: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Ibexa DXP's back office, specifically affecting the admin-ui component. The vulnerability was disclosed on October 17, 2025, and affects multiple versions including Ibexa DXP v3.3., v4.6., and v5.0.*. The issue was identified in several areas of the back office including image asset names, content language names, and future publishing functionality (Ibexa Advisory, GitHub Advisory).

The vulnerability is classified as Moderate severity with a CVSS score of 4.8. The CVSS v4 base metrics indicate that the vulnerability requires network access (Attack Vector: Network), has low attack complexity, requires high privileges, and passive user interaction. The vulnerability is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (GitHub Advisory).

The XSS vulnerability is persistent and can potentially affect both back office and front office users. When successfully exploited, the injected XSS could be reflected in the front office, impacting end users. The vulnerability affects multiple areas including product assets, image asset field type, content tags, acronym custom tag in Rich Text, content languages, and future publishing functionality (Ibexa Advisory).

The vulnerability has been patched in versions Ibexa DXP v3.3.44, v4.6.25, and v5.0.3. The fixes ensure proper XSS escaping and render any existing injected XSS harmless. No workarounds are available, making it essential to upgrade to the patched versions (Ibexa Advisory).