CVE-2025-36563 is a reflected cross-site scripting (XSS) vulnerability affecting multiple versions of Alfasado Inc.'s PowerCMS, specifically version 6.7 and earlier within the 6.x series. This vulnerability arises when a product administrator accesses a specially crafted URL that includes malicious script code. Because the vulnerability is reflected, the malicious script is embedded within the URL and executed immediately in the administrator's browser context without being stored on the server. The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the administrator's session, potentially leading to session hijacking, unauthorized actions, or theft of sensitive information. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network without privileges, requires low attack complexity, does require user interaction (the administrator must click the crafted URL), and the scope is changed, meaning the vulnerability affects resources beyond the vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches or mitigations have been linked yet. This vulnerability specifically targets the administrative interface of PowerCMS, which is a content management system used to manage website content and configurations. The reflected XSS can be leveraged by attackers to perform targeted phishing or social engineering attacks against administrators, potentially leading to further compromise of the CMS and the websites it manages.

For European organizations using PowerCMS 6.7 or earlier, this vulnerability poses a significant risk to the security of their web content management infrastructure. Successful exploitation could allow attackers to hijack administrator sessions, inject malicious content into managed websites, or gain unauthorized access to sensitive configuration data. This could lead to defacement, data leakage, or further lateral movement within the organization's network. Given that PowerCMS is often used by enterprises, media companies, and government agencies to manage critical web assets, the impact could extend to reputational damage, regulatory non-compliance (especially under GDPR if personal data is exposed), and operational disruptions. The requirement for user interaction (administrator clicking the malicious URL) means social engineering tactics are likely to be employed. European organizations with remote or distributed administrative teams may be particularly vulnerable if administrators access the CMS from less secure environments. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for targeted attacks, especially as details become public.

Organizations should immediately review their use of PowerCMS and identify if they are running version 6.7 or earlier. Until a vendor patch is available, practical mitigations include: 1) Educate and alert all CMS administrators about the risk of clicking untrusted links, especially those purporting to be related to PowerCMS administration. 2) Implement web application firewall (WAF) rules to detect and block suspicious URL patterns that may contain script injection attempts targeting the CMS admin interface. 3) Restrict administrative access to PowerCMS to trusted networks or VPNs to reduce exposure to external attackers. 4) Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 5) Monitor administrative logs for unusual access patterns or repeated attempts to access crafted URLs. 6) Plan and prioritize upgrading to the latest PowerCMS version once a patch is released, or apply any available vendor-provided workarounds. 7) Consider multi-factor authentication (MFA) for CMS administrators to mitigate session hijacking risks.