CVE-2025-28936 identifies a Stored Cross-site Scripting (XSS) vulnerability in the sakurapixel Lunar platform, a web application designed for selling photos online. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the application. When other users access the affected pages, the malicious scripts execute in their browsers under the context of the vulnerable site. This can lead to session hijacking, credential theft, unauthorized actions, or distribution of malware. The affected versions include all releases up to and including 1.3.0. No CVSS score has been assigned yet, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and considered serious. The lack of patch links indicates that a fix may not yet be available, requiring users to implement interim mitigations. Stored XSS vulnerabilities are particularly dangerous because they do not require user interaction beyond visiting a compromised page and can affect multiple users. The Lunar platform’s niche market in photo selling means the attack surface is specialized but potentially global. The vulnerability was reserved and published in March 2025 by Patchstack, indicating recent discovery and disclosure.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions within the Lunar platform. Attackers exploiting the stored XSS can execute arbitrary JavaScript in the context of the victim’s browser, enabling theft of session cookies, personal information, or credentials. They may also perform unauthorized actions on behalf of users, such as changing account settings or making fraudulent transactions. Additionally, the vulnerability could be leveraged to deliver malware or redirect users to malicious sites, impacting availability indirectly through user trust erosion. Organizations using Lunar for photo sales could suffer reputational damage, financial loss, and regulatory consequences if customer data is compromised. Since the vulnerability is stored and persistent, it can affect multiple users over time, increasing the scope of impact. Although no active exploits are known, the public disclosure increases the risk of future exploitation, especially if patches are delayed. The impact is heightened in environments where Lunar is integrated with other business-critical systems or handles sensitive customer data.

Until an official patch is released by sakurapixel, organizations should implement several specific mitigations: 1) Employ strict input validation on all user-supplied data to ensure that scripts or HTML tags are not accepted or are properly sanitized before storage. 2) Apply context-aware output encoding/escaping on all data rendered in web pages to neutralize any malicious payloads. 3) Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4) Deploy a Web Application Firewall (WAF) with rules tuned to detect and block common XSS attack patterns targeting Lunar. 5) Conduct regular security audits and penetration testing focused on input handling and output rendering in Lunar. 6) Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with user-generated content. 7) Monitor security advisories from sakurapixel and Patchstack closely and apply patches immediately upon release. 8) Consider isolating the Lunar application environment to limit lateral movement if an attack occurs. These measures go beyond generic advice by focusing on both prevention and detection tailored to the specific nature of the stored XSS in Lunar.