CVE-2025-29003 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the product 'The Holiday Calendar' by mva7, up to version 1.18.2.1. Stored XSS occurs when malicious input is improperly sanitized and then persistently stored by the application, later being rendered in web pages viewed by other users. This vulnerability allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts into the web interface of The Holiday Calendar. The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L). The impact scope is classified as changed (S:C), indicating that the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire application or user session. The CVSS v3.1 base score is 6.5, reflecting a medium severity level. The vulnerability can lead to partial confidentiality, integrity, and availability impacts (C:L/I:L/A:L), such as session hijacking, defacement, or denial of service through script execution in the context of other users. No public exploits are currently known, and no patches have been linked yet. The vulnerability was reserved in March 2025 and published in June 2025, indicating recent discovery. The lack of a patch suggests that affected users should prioritize mitigation steps to reduce risk. Stored XSS is particularly dangerous because injected scripts persist and affect multiple users, increasing the attack surface and potential damage. The Holiday Calendar is a web-based application, likely used for scheduling or event management, which may be integrated into organizational intranets or public websites, increasing the risk of exposure.

For European organizations using The Holiday Calendar, this vulnerability poses a significant risk to user data confidentiality and application integrity. Attackers could exploit the stored XSS to steal session cookies, impersonate users, or execute unauthorized actions within the application. This could lead to unauthorized access to sensitive scheduling information or internal communications. The availability impact, while lower, could manifest as denial of service through malicious script execution causing application instability or user lockout. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but can escalate if combined with social engineering. Organizations in sectors such as government, healthcare, education, and enterprises relying on The Holiday Calendar for internal coordination could face reputational damage, regulatory scrutiny under GDPR for data breaches, and operational disruptions. The persistence of the injected scripts means multiple users could be affected before detection and remediation, increasing the window of exposure.

1. Immediate mitigation should include disabling or restricting user input fields that accept HTML or script content until a patch is available. 2. Implement strict input validation and output encoding on all user-supplied data, especially in areas where calendar events or notes are entered. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. 4. Conduct regular security audits and penetration testing focusing on XSS vectors in The Holiday Calendar. 5. Educate users about the risks of clicking on suspicious links or interacting with unexpected content within the calendar interface. 6. Monitor application logs for unusual input patterns or script injection attempts. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Consider isolating The Holiday Calendar application behind web application firewalls (WAFs) with rules tuned to detect and block XSS payloads. 9. Review and harden session management to limit the impact of stolen session tokens.