CVE-2025-26766 identifies a stored Cross-site Scripting (XSS) vulnerability in the VaultDweller Leyka product, affecting all versions up to and including 3.31.8. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the server. When other users access the affected pages, the malicious scripts execute in their browsers within the security context of the vulnerable application. This can lead to a range of attacks including session hijacking, theft of sensitive information such as cookies or credentials, defacement, or unauthorized actions performed on behalf of the victim user. The vulnerability does not require authentication to exploit, nor does it require user interaction beyond visiting a crafted page, increasing its risk profile. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability was published on February 16, 2025, and is tracked under CVE-2025-26766. The lack of patches currently available means organizations must rely on interim mitigations until official fixes are released. The issue highlights the importance of proper input validation and output encoding in web applications to prevent injection attacks.

The impact of CVE-2025-26766 is significant for organizations using VaultDweller Leyka, as stored XSS vulnerabilities can compromise user confidentiality by exposing session tokens and personal data. Integrity is at risk because attackers can manipulate the content displayed to users or perform unauthorized actions on their behalf. Availability could also be affected if attackers use the vulnerability to inject scripts that disrupt normal application functionality or launch further attacks such as malware distribution. Since exploitation requires no authentication and minimal user interaction, the attack surface is broad, potentially affecting all users of the vulnerable application. This can lead to reputational damage, regulatory penalties, and financial losses, especially for organizations handling sensitive or regulated data. The absence of known exploits currently provides a window for proactive mitigation, but the vulnerability remains a critical risk until patched.

Organizations should immediately audit their Leyka deployments to identify affected versions (<= 3.31.8) and prepare for patching once updates are released by VaultDweller. In the interim, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Employ web application firewalls (WAFs) with rules targeting XSS attack patterns to provide an additional layer of defense. Educate users about the risks of clicking on suspicious links and monitor logs for unusual activity indicative of exploitation attempts. Regularly review and update security controls and conduct penetration testing focused on injection vulnerabilities. Coordinate with VaultDweller support channels to receive timely updates and patches.