CVE-2025-10758 is a cross-site scripting (XSS) vulnerability identified in htmly, a content management system, affecting versions up to 3.1.0, specifically versions 3.0 and 3.1.0. The vulnerability resides in the Custom Field Handler component, within the /htmly/admin/field/post file. The issue arises due to improper sanitization or validation of the 'label' argument, which can be manipulated by an attacker to inject malicious scripts. This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access the affected admin interface or any page that processes the vulnerable input. The attack can be launched remotely without authentication, although the CVSS vector indicates a requirement for high privileges (PR:H) and user interaction (UI:P), suggesting that exploitation might require an authenticated user with elevated privileges to interact with a crafted input. The vendor has been notified but has not responded, and no patches are currently available. Although no known exploits are reported in the wild, the public disclosure of the exploit increases the risk of exploitation. The CVSS score of 4.8 (medium severity) reflects moderate impact, with the vulnerability primarily affecting integrity and potentially confidentiality through script execution, but not availability. The vulnerability does not involve scope change or privilege escalation beyond the initial requirement. Given the nature of XSS, successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user within the htmly admin interface.

For European organizations using htmly CMS versions 3.0 or 3.1.0, this vulnerability poses a risk primarily to administrative users who have access to the Custom Field Handler interface. Exploitation could lead to compromise of administrative sessions, allowing attackers to manipulate content, steal sensitive information, or further pivot within the organization’s web infrastructure. This is particularly concerning for organizations managing sensitive or regulated data, such as those in finance, healthcare, or government sectors. The lack of vendor response and absence of patches increase the window of exposure. Additionally, since the attack requires user interaction and high privileges, the threat is more significant in environments with multiple administrators or where phishing/social engineering could be used to trick privileged users into triggering the exploit. The impact on confidentiality and integrity could lead to reputational damage, regulatory non-compliance (e.g., GDPR), and potential financial losses. However, the medium severity and exploitation complexity somewhat limit the immediate widespread impact.

European organizations should take proactive steps to mitigate this vulnerability despite the absence of an official patch. First, restrict administrative access to the htmly CMS to trusted networks and users, employing network segmentation and VPNs to limit exposure. Implement strict input validation and output encoding on the 'label' parameter within the Custom Field Handler if custom development or overrides are possible. Employ Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. Educate administrators on phishing and social engineering risks to prevent inadvertent exploitation. Monitor web server and application logs for suspicious activity related to the /htmly/admin/field/post endpoint. Consider deploying a Web Application Firewall (WAF) with rules targeting XSS payloads specific to htmly. Finally, plan for an upgrade or migration to a more secure CMS platform or wait for vendor patches, and maintain regular backups to enable recovery if compromise occurs.