CVE-2025-30904 identifies a stored cross-site scripting (XSS) vulnerability in Ays Pro's Chartify product, a tool used for building charts and visual data representations. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored and later executed in the context of users' browsers. This persistent XSS flaw affects all versions up to 3.1.7, enabling attackers to inject JavaScript payloads that execute whenever a victim accesses the affected page or chart. Such scripts can steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The vulnerability does not require authentication or user interaction beyond visiting a compromised page, increasing its exploitation potential. Although no public exploits have been reported, the flaw's presence in a widely used charting tool raises concerns for organizations relying on Chartify for data visualization. The lack of a CVSS score necessitates an assessment based on impact and exploitability, which indicates a high severity level. The vulnerability highlights the importance of proper input sanitization and output encoding in web applications that dynamically generate content from user inputs.

The stored XSS vulnerability in Chartify can lead to significant security risks for organizations worldwide. Attackers can exploit this flaw to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, credential theft, unauthorized actions, and data exfiltration. For organizations using Chartify in internal dashboards or customer-facing portals, this can result in compromised user accounts, loss of sensitive data, and damage to reputation. The persistent nature of stored XSS means malicious scripts remain active until removed, increasing exposure time. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the network or to spread malware. The ease of exploitation without authentication or complex prerequisites broadens the threat scope, affecting any user accessing the compromised content. This vulnerability could also be leveraged in targeted attacks against high-value individuals or organizations relying heavily on Chartify for decision-making and reporting.

To mitigate CVE-2025-30904, organizations should immediately upgrade Chartify to a version where this vulnerability is patched once available. Until a patch is released, implement strict input validation on all user-supplied data to ensure that scripts or HTML tags are not accepted or are properly sanitized. Employ robust output encoding techniques, such as HTML entity encoding, to neutralize any potentially malicious content before rendering it in the browser. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded. Regularly audit and sanitize existing stored data to remove any malicious payloads. Monitor web application logs and user activity for signs of exploitation attempts. Additionally, educate developers on secure coding practices related to input handling and output encoding to prevent similar vulnerabilities in the future. Deploy web application firewalls (WAFs) with rules targeting XSS patterns as an additional protective layer.