CVE-2025-46320 is a security vulnerability identified in Claris FileMaker Server's WebDirect component, specifically within the custom homepage functionality. The vulnerability is a cross-site scripting (XSS) flaw that allows an attacker to inject malicious scripts into the custom homepage. When a legitimate user or administrator accesses the compromised homepage, the injected script executes in their browser context. This can lead to session hijacking, unauthorized access, and potentially remote code execution on the server hosting FileMaker Server. The vulnerability arises due to insufficient input validation or output encoding in the custom homepage feature, allowing attacker-controlled input to be rendered unsanitized. The affected versions are unspecified but are prior to the patched versions 22.0.4 and 21.1.7, which fully address the issue. No public exploits have been reported yet, but the combination of XSS with the ability to escalate to remote code execution significantly increases the threat level. The vulnerability was reserved in April 2025 and published in February 2026, indicating a recent discovery and disclosure. The lack of a CVSS score requires an expert severity assessment based on the potential impact and exploitation complexity.

The impact of CVE-2025-46320 is substantial for organizations using Claris FileMaker Server with WebDirect custom homepages. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, leading to session hijacking, data theft, or unauthorized actions within the FileMaker environment. More critically, the vulnerability can escalate to remote code execution on the server, potentially compromising the entire system, leading to data breaches, service disruption, or lateral movement within the network. This threatens the confidentiality, integrity, and availability of sensitive business data managed by FileMaker Server. Organizations relying on FileMaker Server for critical business applications, especially those exposing WebDirect interfaces to the internet, face increased risk of targeted attacks. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure. The vulnerability's exploitation could also damage organizational reputation and lead to regulatory compliance issues if sensitive data is exposed.

To mitigate CVE-2025-46320, organizations should immediately upgrade FileMaker Server to versions 22.0.4 or 21.1.7 or later, where the vulnerability has been fully addressed. Until patching is complete, administrators should restrict access to the WebDirect custom homepage, ideally limiting it to trusted internal networks and users. Implement strict input validation and output encoding on any custom homepage content to prevent injection of malicious scripts. Review and harden web server configurations hosting FileMaker Server to reduce attack surface, including disabling unnecessary features and enforcing HTTPS with strong cipher suites. Monitor server logs for unusual activity or attempted exploitation patterns related to XSS attacks. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Conduct security awareness training for administrators and users to recognize phishing or social engineering attempts that might leverage this vulnerability. Finally, maintain an incident response plan to quickly address any suspected compromise stemming from this vulnerability.