CVE-2025-27361 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the thhake Photo Express for Google application, affecting versions up to 0.3.2. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize user-supplied input before reflecting it back in the web page, enabling attackers to inject malicious scripts. When a victim interacts with a crafted URL or input, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or redirection to malicious sites. The CVSS v3.1 base score is 7.1, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect components beyond the vulnerable one. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they can lead to significant compromise of user trust and application security. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in February 2025 and published in June 2025, indicating recent discovery and disclosure. The affected product, Photo Express for Google by thhake, is a web-based photo management or editing tool integrated with Google services, likely used by end-users and organizations for photo handling tasks.

For European organizations, this vulnerability poses a tangible risk especially for those relying on Photo Express for Google for internal or customer-facing photo management workflows. Exploitation could lead to unauthorized access to user sessions, leakage of sensitive information, or manipulation of user actions, potentially violating GDPR requirements concerning data protection and user consent. The reflected XSS could be leveraged in phishing campaigns targeting employees or customers, undermining trust and causing reputational damage. Additionally, if the application is embedded or integrated within larger enterprise systems, the scope change (S:C) suggests that the impact could extend beyond the immediate application, potentially affecting other connected services or data. Organizations in sectors with high privacy and security requirements, such as finance, healthcare, and government, may face increased risk and regulatory scrutiny if exploited. The lack of available patches necessitates immediate risk management and mitigation to prevent exploitation.

Given the absence of official patches, European organizations should implement several specific mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block reflected XSS attack patterns targeting Photo Express for Google URLs and parameters. 2) Conduct input validation and output encoding at the application layer if source code access is available, ensuring all user inputs are properly sanitized before rendering. 3) Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of injected scripts. 4) Educate users and administrators about the risks of clicking on suspicious links and encourage cautious handling of URLs related to Photo Express for Google. 5) Monitor logs and network traffic for unusual patterns indicative of attempted exploitation. 6) If possible, isolate the Photo Express for Google deployment within segmented network zones to limit lateral movement in case of compromise. 7) Engage with the vendor or community to obtain updates or patches as they become available and plan for timely application of fixes. 8) Review and update incident response plans to include scenarios involving XSS exploitation in this application.