CVE-2025-10946 is a cross-site scripting (XSS) vulnerability identified in the nuz007 smsboom product, specifically affecting versions up to commit 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674. The vulnerability resides in an unspecified function within the dy.php file, where manipulation of the 'hm' argument allows injection of malicious scripts. This vulnerability enables remote attackers to execute arbitrary JavaScript in the context of the victim's browser without requiring authentication, although user interaction is necessary to trigger the exploit. The product follows a rolling release model, so exact version numbers are not provided, complicating precise patching. The CVSS v4.0 base score is 5.1, categorizing it as a medium severity issue. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L), with no impact on availability. No known exploits are currently reported in the wild. The vulnerability's root cause is insufficient input validation or output encoding of the 'hm' parameter, leading to reflected or stored XSS, which can be leveraged for session hijacking, phishing, or delivering malicious payloads to users interacting with the vulnerable web interface.

For European organizations using nuz007 smsboom, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data accessed via the affected web interface. Successful exploitation could allow attackers to hijack user sessions, steal sensitive information, or perform actions on behalf of legitimate users, potentially leading to data breaches or unauthorized operations. Given that smsboom is an SMS-related product, exploitation could also facilitate social engineering attacks or manipulation of messaging workflows. The requirement for user interaction limits the scope somewhat, but phishing campaigns or malicious links could be used to trigger the vulnerability. The rolling release nature of the product may delay patch deployment, increasing exposure time. Organizations with public-facing smsboom instances are at higher risk, especially if users have elevated privileges. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation that could impact business operations, compliance with data protection regulations such as GDPR, and customer trust.

1. Immediate mitigation should include implementing strict input validation and output encoding for the 'hm' parameter in dy.php to neutralize malicious script injections. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the smsboom interface. 3. Conduct a thorough code review of the smsboom application to identify and remediate similar XSS vectors, especially in user-controllable inputs. 4. Since the product uses a rolling release model, coordinate closely with the vendor or development team to obtain and deploy patches or updates that address this vulnerability as soon as they become available. 5. Educate users on the risks of clicking on suspicious links and implement multi-factor authentication to reduce the impact of session hijacking. 6. Monitor web server logs and application behavior for unusual requests targeting the 'hm' parameter or signs of XSS exploitation attempts. 7. If immediate patching is not feasible, consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting this vulnerability.