CVE-2025-10758 is a cross-site scripting (XSS) vulnerability identified in the htmly content management system (CMS), specifically affecting versions up to 3.1.0. The vulnerability resides in the Custom Field Handler component, within the /htmly/admin/field/post file. An attacker can manipulate the 'label' argument in an unspecified function, causing malicious scripts to be injected and executed in the context of the administrative interface. This vulnerability is remotely exploitable without requiring authentication, but it does require user interaction, likely involving an administrator or user accessing a crafted URL or input. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the vector states PR:H which conflicts with the description; however, the description states no authentication required), user interaction required (UI:P), and limited impact on confidentiality and integrity. The vendor has not responded to the disclosure, and no patches have been released yet. Although no known exploits are currently in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability could allow attackers to execute arbitrary JavaScript in the admin interface, potentially leading to session hijacking, defacement, or further compromise of the CMS environment.

For European organizations using htmly CMS versions 3.0 or 3.1.0, this vulnerability poses a moderate security risk. Exploitation could allow attackers to execute malicious scripts in the context of administrative users, potentially leading to unauthorized access, data theft, or manipulation of website content. Given that htmly is a CMS, it is often used to manage websites and blogs, meaning that compromised administrative sessions could result in defacement or distribution of malicious content to end users. While the CVSS score is medium (4.8), the impact on confidentiality and integrity is limited but non-negligible. The availability impact is minimal. European organizations with public-facing htmly installations, especially those with sensitive or high-traffic websites, could face reputational damage and potential regulatory scrutiny under GDPR if personal data is compromised. The lack of vendor response and patches increases the urgency for organizations to implement mitigations promptly.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Restricting administrative interface access by IP whitelisting or VPN-only access to reduce exposure to remote attackers. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'label' parameter in the Custom Field Handler. 3) Conducting input validation and sanitization at the application level if possible, or applying temporary code fixes to sanitize the 'label' argument before rendering. 4) Monitoring administrative logs for unusual activity or access patterns that could indicate exploitation attempts. 5) Educating administrators to avoid clicking on suspicious links or inputs that could trigger XSS payloads. 6) Planning for an upgrade or migration to a patched version once available, or considering alternative CMS platforms if timely patches are not forthcoming. 7) Implementing Content Security Policy (CSP) headers to limit the impact of injected scripts.