CVE-2025-41087 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, present in all versions of Taclia's web application. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of uploaded SVG images. SVG files can contain embedded scripts, and Taclia's application fails to sanitize these files adequately before storing them on the server. As a result, an attacker can upload a crafted SVG image containing malicious JavaScript code. When other users access the affected resource, the embedded script executes in their browser context, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of the user. The vulnerability has a CVSS 4.0 score of 5.1, reflecting medium severity, with attack vector network-based, low attack complexity, no privileges required, but user interaction needed. The scope is limited to the web application context, and no known exploits have been reported in the wild. The vulnerability was reserved in April 2025 and published in November 2025 by INCIBE. The lack of patches currently requires organizations to implement interim mitigations to reduce risk.

For European organizations using Taclia's web application, this vulnerability poses a moderate risk to confidentiality and integrity of user data. Successful exploitation can lead to session hijacking, unauthorized actions, and potential lateral movement within the affected environment. The stored nature of the XSS increases risk because malicious scripts persist and affect multiple users. Organizations handling sensitive or personal data are particularly vulnerable to data breaches or compliance violations under GDPR. The vulnerability can also damage organizational reputation and trust if exploited. Since the attack requires user interaction (viewing the malicious SVG), phishing or social engineering could be leveraged to increase success. The medium CVSS score reflects a balanced risk but should not be underestimated given the potential for targeted attacks against high-value European entities.

1. Implement robust SVG sanitization libraries that remove or neutralize embedded scripts and potentially dangerous elements before accepting SVG uploads. 2. Restrict or disable SVG uploads if not strictly necessary, or convert SVGs to safer image formats server-side. 3. Apply Content Security Policy (CSP) headers to restrict script execution sources and reduce impact of XSS. 4. Enforce strict input validation and output encoding on all user-generated content. 5. Monitor web application logs for unusual SVG upload activity or script execution attempts. 6. Educate users about the risks of interacting with untrusted content and implement multi-factor authentication to reduce session hijacking impact. 7. Engage with Taclia for patches or updates and apply them promptly once available. 8. Conduct regular security assessments and penetration testing focused on file upload functionalities.