CVE-2025-40975 identifies a stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo product, which is used for human resource management and ticketing. The vulnerability stems from improper neutralization of input during web page generation, specifically in the 'description' parameter of POST requests sent to the endpoint '/hrmgo/ticket/changereply'. Because the application fails to properly validate or sanitize this input, an attacker can inject malicious JavaScript code that is stored on the server and subsequently executed in the browsers of users who view the affected ticket replies. This type of stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. The CVSS 4.0 vector indicates the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), does not require authentication (AT:N), but does require user interaction (UI:P). The vulnerability impacts confidentiality and integrity but has limited availability impact. All versions of HRMGo are affected, and no patches or fixes are currently published. Although no known exploits have been observed in the wild, the presence of this vulnerability in a widely used HRM tool presents a significant risk, especially if attackers target users with privileged access or sensitive data. The vulnerability was assigned by INCIBE and published in January 2026, with the reservation date in April 2025. The CWE-79 classification confirms the root cause as improper input neutralization during web page generation.

For European organizations using WorkDo HRMGo, this vulnerability could lead to unauthorized script execution within the context of legitimate users, potentially exposing sensitive HR data, internal communications, and user credentials. Attackers could leverage this to escalate privileges, impersonate users, or pivot to other internal systems. The impact on confidentiality and integrity is significant, especially in sectors handling personal employee information and compliance-sensitive data under GDPR. Disruption of HR workflows or unauthorized data disclosure could result in regulatory penalties, reputational damage, and operational inefficiencies. Since the vulnerability requires user interaction but no authentication, phishing or social engineering campaigns could be used to trigger exploitation. Organizations with extensive remote workforces or those relying heavily on HRMGo for employee management are particularly at risk. The medium CVSS score reflects moderate exploitability and impact, but the potential for chained attacks or targeted exploitation in sensitive environments elevates the concern.

Organizations should implement strict input validation and output encoding on the 'description' parameter to neutralize malicious scripts before rendering. Until official patches are released by WorkDo, applying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting '/hrmgo/ticket/changereply' can reduce risk. Restricting user privileges to the minimum necessary and educating users about the risks of interacting with untrusted content can limit exploitation opportunities. Monitoring logs for unusual POST requests or anomalous user behavior related to ticket replies can help detect attempted exploitation. Additionally, organizations should engage with WorkDo for timely patch releases and consider isolating HRMGo instances from broader networks to contain potential breaches. Regular security assessments and penetration testing focusing on XSS vectors in HRMGo are recommended. Finally, enforcing Content Security Policy (CSP) headers can mitigate the impact of successful XSS by restricting script execution contexts.