CVE-2025-46446 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the ivanrojas Libro de Reclamaciones software, affecting versions up to 1.0.1. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. Specifically, this flaw allows an attacker to inject malicious scripts that are stored persistently within the application and executed in the context of users who access the affected pages. The vulnerability can be exploited remotely over the network (AV:N) without requiring any privileges (PR:N), but it does require user interaction (UI:R), such as a user visiting a maliciously crafted page or submitting a form containing the payload. The scope of the vulnerability is classified as changed (S:C), indicating that exploitation can affect resources beyond the initially vulnerable component. The impact includes low confidentiality, integrity, and availability losses, but combined, these can lead to significant security issues such as session hijacking, credential theft, unauthorized actions on behalf of users, and potential spread of malware. No patches or fixes are currently available, and no known exploits are reported in the wild as of the publication date. The vulnerability was reserved in April 2025 and published in May 2025, indicating recent discovery. The lack of patch links suggests that users of Libro de Reclamaciones should be cautious and implement mitigations proactively.

For European organizations using ivanrojas Libro de Reclamaciones, this vulnerability poses a significant risk, especially for entities handling sensitive customer complaints or feedback data. Exploitation could lead to unauthorized access to user sessions, data leakage, and manipulation of complaint records, undermining trust and compliance with data protection regulations such as GDPR. The stored XSS nature means that once malicious scripts are injected, they can affect multiple users over time, increasing the attack surface. This can result in reputational damage, legal consequences, and operational disruption. Organizations in sectors such as public administration, consumer rights, and service providers that rely on Libro de Reclamaciones for complaint management are particularly vulnerable. Additionally, the cross-site scripting can be leveraged as a stepping stone for more advanced attacks, including phishing campaigns targeting employees or customers.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and output encoding on all user-supplied data within the application, ensuring that special characters are properly escaped before rendering in HTML contexts. 2) Employing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS payloads. 3) Conducting regular security audits and code reviews focusing on input handling in Libro de Reclamaciones. 4) Restricting user permissions to limit the ability to submit or modify complaint data to trusted users only. 5) Educating users about the risks of clicking on suspicious links or submitting untrusted content. 6) Monitoring web application logs for unusual activity indicative of attempted XSS exploitation. 7) Considering temporary removal or replacement of the vulnerable module if feasible until a vendor patch is released. 8) Engaging with the vendor or community to track patch availability and apply updates promptly once available.