CVE-2025-45406 is a stored cross-site scripting (XSS) vulnerability identified in CodeIgniter4 version 4.6.0. The vulnerability arises from improper handling of the debugbar_time parameter, which could allow an attacker to inject arbitrary web scripts or HTML content. Stored XSS vulnerabilities occur when malicious input is saved by the web application and later rendered in a user's browser without proper sanitization or escaping, enabling execution of attacker-controlled scripts. However, this vulnerability is disputed by the software supplier, who argues that attackers cannot influence the debugbar_time parameter value and that debugbar-related data is automatically escaped by the CodeIgniter Parser class, which would mitigate the risk of script injection. The CVSS v3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is remotely exploitable over the network without privileges, requires user interaction, and impacts confidentiality and integrity with a scope change. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability is categorized under CWE-79, which corresponds to Cross-site Scripting. Given the nature of stored XSS, successful exploitation could allow attackers to execute malicious scripts in the context of affected users, potentially leading to session hijacking, defacement, or redirection to malicious sites. However, the dispute by the supplier and the lack of confirmed exploitability suggest that the risk might be limited or mitigated in typical deployments.

For European organizations using CodeIgniter4 version 4.6.0, this vulnerability could pose a moderate risk, particularly for web applications that enable debugbar features accessible or influenced by untrusted users. Exploitation could lead to unauthorized disclosure of sensitive information (confidentiality impact) and modification of displayed content (integrity impact), potentially undermining user trust and compliance with data protection regulations such as GDPR. Although availability is not impacted, the reputational damage and potential data leakage could have significant consequences. The requirement for user interaction (UI:R) means that attackers would need to trick users into triggering the malicious payload, which may limit large-scale automated exploitation. The supplier's dispute and automatic escaping mechanisms may reduce the likelihood of successful exploitation, but organizations should not rely solely on this and should verify their specific implementation and usage of the debugbar component. European organizations in sectors with high web presence, such as finance, e-commerce, and public services, should be particularly vigilant, as attackers often target these sectors for data theft and fraud.

1. Immediate verification of whether the debugbar feature is enabled and accessible to untrusted users in the deployed CodeIgniter4 applications. If not required, disable the debugbar entirely to eliminate the attack surface. 2. Conduct a thorough code review and testing to confirm whether the debugbar_time parameter can be influenced by external inputs and whether the escaping mechanisms are effective in the specific deployment context. 3. Apply strict input validation and output encoding on all parameters related to debugbar and any user-controllable inputs, ensuring that any HTML or script content is properly sanitized. 4. Monitor web application logs and user reports for any suspicious activity or attempts to inject scripts via the debugbar_time parameter. 5. Stay updated with official CodeIgniter security advisories for any patches or updates addressing this vulnerability and apply them promptly once available. 6. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser, mitigating the impact of potential XSS attacks. 7. Educate users about phishing and social engineering risks, as exploitation requires user interaction. 8. Consider deploying Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense.