CVE-2025-11435 is a cross-site scripting vulnerability identified in JhumanJ OpnForm, specifically affecting versions 1.9.0 through 1.9.3. The vulnerability resides in an unspecified functionality of the /show/submissions endpoint, which improperly sanitizes user-supplied input, allowing attackers to inject malicious JavaScript code. This flaw can be exploited remotely without requiring authentication, but it necessitates user interaction, such as a victim clicking a malicious link or visiting a compromised page. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:P). The impact primarily affects the integrity and confidentiality of the victim’s session or data, potentially enabling session hijacking, defacement, or redirection to malicious sites. Although no active exploitation has been reported, the vulnerability has been publicly disclosed, and a patch is available identified by commit a2af1184e53953afa8cb052f4055f288adcaa608. Organizations using affected versions of OpnForm should apply the patch promptly to prevent exploitation. The vulnerability underscores the importance of proper input validation and output encoding in web applications to mitigate XSS risks.

For European organizations, this vulnerability poses a risk primarily to web applications relying on JhumanJ OpnForm for form submissions and data collection. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, or theft of sensitive information entered into forms. This can undermine user trust, cause data integrity issues, and potentially lead to regulatory non-compliance under GDPR if personal data is compromised. Sectors such as government, healthcare, finance, and e-commerce that utilize OpnForm for customer or citizen interactions are particularly vulnerable. The medium severity rating reflects that while the vulnerability does not allow full system compromise, it can facilitate targeted phishing or social engineering attacks that escalate into broader breaches. The remote and unauthenticated nature of the exploit increases the attack surface, making it easier for threat actors to attempt exploitation at scale if the patch is not applied.

1. Immediately apply the official patch identified by commit a2af1184e53953afa8cb052f4055f288adcaa608 to all affected OpnForm instances. 2. Conduct a thorough code review of all input handling in the /show/submissions endpoint and related components to ensure proper input validation and output encoding are enforced. 3. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Educate users and administrators about the risks of clicking unknown links and the importance of verifying URLs, especially in contexts involving form submissions. 5. Monitor web application logs for unusual or suspicious requests targeting the /show/submissions endpoint to detect potential exploitation attempts early. 6. Consider deploying Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting OpnForm. 7. Regularly update and patch all web-facing applications and dependencies to minimize exposure to known vulnerabilities.