CVE-2025-11421 identifies a cross-site scripting vulnerability in the code-projects Voting System version 1.0, specifically within the /admin/candidates_edit.php file. The vulnerability arises from improper sanitization of user-supplied input in the Firstname, Lastname, and Platform parameters, which are used in candidate editing functionality. An attacker can craft malicious input to inject arbitrary JavaScript code that executes in the context of an authenticated administrator's browser session. The vulnerability is remotely exploitable without requiring authentication, though user interaction is necessary to trigger the malicious payload. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of exploitation (low attack complexity, no privileges required) but limited impact on confidentiality and integrity. The vulnerability does not affect availability and does not require scope changes. No official patches or fixes have been released yet, and no public exploits have been observed in the wild, though proof-of-concept code has been published. The flaw is typical of reflected or stored XSS issues where input is not properly validated or encoded before rendering in the admin interface, potentially allowing session hijacking, credential theft, or UI manipulation.

The primary impact of this vulnerability is on the confidentiality and integrity of the administrative users of the voting system. Exploitation could allow attackers to hijack admin sessions, steal sensitive information, or manipulate the voting system's user interface to mislead administrators. While the availability of the system is not directly affected, successful attacks could undermine trust in the voting process and lead to administrative disruption. Organizations relying on this voting system, especially in sensitive electoral or polling environments, face risks of data exposure and manipulation. The medium severity rating reflects that while the vulnerability is exploitable remotely and without authentication, it requires user interaction and affects a limited attack surface (admin panel). The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code is publicly available.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data fields in the /admin/candidates_edit.php page, particularly the Firstname, Lastname, and Platform parameters. Employing a robust web application firewall (WAF) with rules to detect and block XSS payloads can provide an additional layer of defense. Administrators should be trained to recognize suspicious links or inputs that could trigger XSS attacks. Until an official patch is released, consider restricting access to the admin interface by IP whitelisting or VPN to reduce exposure. Regularly monitor logs for unusual activity and review user inputs for malicious content. Applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Finally, coordinate with the vendor or community to obtain or develop patches and update the software promptly once available.