CVE-2025-42620 is a stored Cross-Site Scripting (XSS) vulnerability identified in CIRCL's Vulnerability-Lookup product versions prior to 2.18.0. The root cause is the improper neutralization of user input during web page generation, classified under CWE-79. Specifically, the backend component accepts arbitrary strings in the related_vulnerabilities field of bundles without proper format validation or sanitization. On the frontend, comments and bundle descriptions are converted from Markdown to HTML and then injected directly into the Document Object Model (DOM) using string templates and innerHTML, which do not inherently sanitize content. This unsafe combination allows an attacker with the ability to create or edit comments or bundles to store malicious HTML or JavaScript payloads. When other users visit the affected profile page (user.html), these payloads execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability requires authenticated access (PR:H) and user interaction (UI:A) but does not require privileges beyond editing or creating comments or bundles. The CVSS 4.0 score of 8.3 reflects a high severity due to network attack vector, low attack complexity, and high impact on confidentiality and integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in April 2025 and published in December 2025. CIRCL users should upgrade to version 2.18.0 or later where this issue is fixed.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive information managed within Vulnerability-Lookup platforms. Exploitation could allow attackers to execute arbitrary scripts in the context of legitimate users, potentially leading to theft of authentication tokens, unauthorized access to vulnerability data, or manipulation of vulnerability records. This could undermine trust in vulnerability management processes and expose organizations to further attacks. Given that CIRCL tools are widely used by CERTs, CSIRTs, and security teams across Europe for vulnerability tracking and incident response, the impact extends to critical infrastructure sectors including finance, energy, and government. The stored nature of the XSS means malicious payloads persist and affect multiple users over time, increasing the attack surface. Although exploitation requires authenticated access, insider threats or compromised accounts could leverage this vulnerability. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score indicates urgent attention is warranted.

European organizations should immediately upgrade Vulnerability-Lookup to version 2.18.0 or later where the vulnerability is patched. In addition, implement strict input validation and sanitization on all user-controlled fields, especially those rendered as HTML, to prevent injection of malicious scripts. Replace unsafe DOM injection methods such as innerHTML with safer alternatives like textContent or use well-maintained libraries that sanitize Markdown to HTML securely. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Conduct regular code audits and penetration testing focused on input handling and frontend rendering logic. Limit permissions to create or edit comments and bundles to trusted users and monitor for unusual activity. Educate users about the risks of interacting with untrusted content within the platform. Finally, maintain up-to-date incident response plans to quickly address any exploitation attempts.