CVE-2025-26732 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the StoreBiz e-commerce platform developed by burgersoftware. The flaw stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious scripts that execute within the victim's browser environment. Unlike traditional reflected or stored XSS, DOM-based XSS occurs entirely on the client side, manipulating the Document Object Model without server-side sanitization. This vulnerability affects all versions of StoreBiz up to 1.0.32, with no patches currently available. An attacker can craft a malicious URL or input that, when processed by the vulnerable StoreBiz application, causes the victim's browser to execute arbitrary JavaScript code. Potential consequences include session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability does not require user authentication, making it exploitable by unauthenticated remote attackers. While no active exploitation has been reported, the widespread use of StoreBiz in small to medium e-commerce businesses increases the attack surface. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics and potential impact.

The exploitation of this DOM-based XSS vulnerability can have severe consequences for organizations using StoreBiz. Attackers can execute arbitrary scripts in the context of users' browsers, leading to theft of session cookies, personal data, or payment information, which is critical for e-commerce platforms. This can result in account takeover, fraudulent transactions, and reputational damage. Additionally, attackers may use the vulnerability to deliver malware or conduct phishing attacks by modifying the content displayed to users. The vulnerability affects the confidentiality and integrity of user data and can indirectly impact availability if attackers disrupt services or cause users to lose trust. Given the unauthenticated nature of the exploit and the ease of delivering malicious payloads via crafted URLs, the threat is significant. Organizations worldwide that rely on StoreBiz for online storefronts are at risk, particularly those with high traffic and sensitive customer data.

Since no official patches are currently available, organizations should implement immediate mitigations to reduce risk. First, apply strict input validation and sanitization on all user-supplied data, especially data reflected in the DOM or used in client-side scripts. Employ context-aware output encoding to neutralize potentially malicious characters before rendering in the browser. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly audit and review client-side code for unsafe DOM manipulations, particularly those involving URL fragments, query parameters, or user inputs. Educate developers on secure coding practices related to DOM-based XSS. Monitor web traffic for suspicious requests that may indicate exploitation attempts. Finally, plan for timely updates once the vendor releases a security patch addressing this vulnerability.