GHSA-8c2g-f8jm-5cr7: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Ibexa DXP's fieldtype-richtext component, specifically affecting the acronym custom tag in Rich Text functionality. The vulnerability was disclosed on October 17, 2025, affecting Ibexa DXP versions v4.6. and v5.0.. This security issue has been assigned the identifier GHSA-8c2g-f8jm-5cr7 and is rated as High severity (Ibexa Advisory, GitHub Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v4 score of 4.8, indicating moderate severity. The technical assessment shows the vulnerability has Network attack vector, Low attack complexity, requires High privileges, and Passive user interaction. The CVSS metrics indicate Low impact on both Confidentiality and Integrity for subsequent systems, with no direct impact on the vulnerable system itself (GitHub Advisory).

The XSS vulnerability is persistent in nature and can potentially affect both back office and front office users. When successfully exploited, the injected XSS payload can be reflected in the front office, potentially impacting end users. The vulnerability requires back office access with editor or administrator privileges for exploitation (Ibexa Advisory).

The vulnerability has been patched in versions v4.6.25 and v5.0.3 of Ibexa DXP. The fixes implement proper XSS escaping mechanisms and render any existing injected XSS harmless. No alternative workarounds are available, making it crucial to upgrade to the patched versions (GitHub Advisory).