CVE-2025-11183 is a medium-severity Cross-Site Scripting (XSS) vulnerability identified in the QGIS QWC2 web client, specifically in the attribute table functionality. QGIS QWC2 is an open-source web client used to display and interact with geospatial data served by QGIS Server. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an authorized attacker to inject arbitrary JavaScript code into the web interface. This can occur when the attacker inputs malicious script code into attribute table fields, which are then rendered without proper sanitization or encoding. Exploitation requires the attacker to have authorized access to the QWC2 interface and to trick a user into interacting with the malicious content (user interaction required). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, but the description states authorized attacker, so likely some privilege is needed), user interaction required (UI:P), and high impact on confidentiality (VC:H), low impact on integrity (VI:L), and no impact on availability. The vulnerability could lead to session hijacking, theft of sensitive geospatial data, or unauthorized actions performed on behalf of the user. No public exploits or patches are currently available, but the vulnerability was published on October 13, 2025, with a reserved date of September 30, 2025. The QGIS project should prioritize releasing a patch to sanitize inputs properly and prevent script injection. Until then, organizations should implement compensating controls to limit exposure.

For European organizations, the impact of CVE-2025-11183 can be significant, particularly for those relying on QGIS QWC2 for geospatial data visualization and decision-making. Sectors such as government agencies, urban planning departments, environmental monitoring bodies, and critical infrastructure operators often use QGIS tools extensively. Exploitation could lead to unauthorized disclosure of sensitive spatial data, manipulation of displayed information, or execution of malicious actions via the victim's browser session. This could undermine trust in geospatial data integrity and confidentiality, disrupt operational workflows, and potentially expose critical infrastructure layouts or environmental data to adversaries. Given the network-based attack vector and the medium severity, attackers could leverage this vulnerability to escalate further attacks within the network or conduct targeted espionage. The requirement for authorized access limits the attack surface but does not eliminate risk, especially in environments with multiple users or weak access controls. The absence of known exploits currently reduces immediate risk but does not preclude future exploitation attempts.

1. Monitor QGIS project communications closely and apply official patches or updates for QWC2 as soon as they become available to address CVE-2025-11183. 2. Implement strict access controls to QWC2 interfaces, ensuring only trusted and necessary users have authorized access. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting attribute tables. 4. Conduct input validation and output encoding on all user-supplied data within QWC2, especially in attribute tables, to prevent script injection. 5. Educate users about the risks of interacting with untrusted content within QWC2 and encourage vigilance against phishing or social engineering attempts. 6. Regularly audit and monitor logs for unusual activity or signs of attempted exploitation. 7. Consider network segmentation to isolate QGIS servers from broader enterprise networks, reducing lateral movement potential. 8. If feasible, deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts within the QWC2 web client. 9. Review and tighten privilege assignments to minimize the number of users with write or edit capabilities in attribute tables.