CVE-2025-11183 is a Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, identified in the attribute table component of QGIS QWC2, an open-source web client for QGIS server. The vulnerability exists due to improper neutralization of input during web page generation, allowing an attacker with authorized access to inject arbitrary JavaScript code into the affected web interface. This injection occurs because user-supplied data in the attribute table is not properly sanitized or encoded before being rendered in the browser. The flaw affects versions of QGIS QWC2 prior to 2025.08.14. Exploitation requires the attacker to have authorized privileges and involves some user interaction, such as viewing the manipulated attribute table. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, so this is a discrepancy to note), user interaction required (UI:P), and high impact on confidentiality (VC:H), low impact on integrity (VI:L), and no impact on availability (VA:N). The vulnerability could enable attackers to execute malicious scripts in the context of the victim’s browser session, potentially leading to theft of session tokens, unauthorized actions, or defacement. No public exploits are currently known, and no patches are linked yet, but the vulnerability is published and reserved by NCSC.ch. Given QGIS QWC2’s usage in geospatial data visualization and management, this vulnerability could affect organizations relying on spatial data services.

For European organizations, the impact of CVE-2025-11183 can be significant in sectors that rely heavily on geospatial data, such as government agencies, urban planning departments, environmental monitoring bodies, and utilities management. Successful exploitation could lead to unauthorized script execution within the context of legitimate users, enabling session hijacking, data theft, or manipulation of displayed geospatial information. This could compromise decision-making processes, leak sensitive location data, or disrupt services relying on accurate spatial information. Since the vulnerability requires authorized access and user interaction, the risk is somewhat contained but still relevant in environments with multiple users and shared access. The confidentiality impact is high, as attackers can potentially access sensitive data or credentials. Integrity impact is lower but still present due to possible data manipulation. Availability is not affected. The medium severity rating reflects these factors. Organizations with public-facing QGIS QWC2 deployments or those with many authorized users are at higher risk.

To mitigate CVE-2025-11183, European organizations should: 1) Monitor QGIS project announcements closely and apply security patches or updates as soon as they become available for QWC2. 2) Implement strict input validation and output encoding in the attribute table component to neutralize any injected scripts. 3) Restrict access to QGIS QWC2 interfaces to trusted users only, employing strong authentication and role-based access controls to limit the number of authorized users who could exploit this vulnerability. 4) Educate users about the risks of interacting with untrusted or suspicious attribute data entries. 5) Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting the execution of unauthorized scripts. 6) Conduct regular security audits and penetration testing focusing on web interface components to detect similar vulnerabilities. 7) Use web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting QGIS QWC2.