CVE-2025-46453 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting Zoho Creator Forms developed by CreatorTeam. The vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the application. When a victim user accesses the affected form or page, the malicious script executes in their browser context. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. The vulnerability affects Zoho Creator Forms versions up to 1.0.5, with no specific earliest affected version identified. The CVSS 3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The requirement for privileges and user interaction reduces the ease of exploitation, but the scope change indicates that the impact extends beyond the vulnerable component, potentially affecting other system components or users. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability is significant because Zoho Creator Forms are widely used for building custom business applications and data collection forms, often embedded in enterprise workflows, making stored XSS a critical risk for persistent attacks and lateral movement within organizations.

For European organizations, this vulnerability poses a risk of persistent cross-site scripting attacks that can compromise user sessions, steal sensitive data, or manipulate form data integrity. Given Zoho Creator's popularity among SMEs and enterprises for rapid application development and data collection, exploitation could lead to unauthorized access to confidential business information or disruption of business processes. The medium severity and requirement for some privileges and user interaction suggest targeted attacks rather than widespread automated exploitation. However, successful exploitation could facilitate further attacks such as phishing, credential theft, or privilege escalation within corporate environments. Organizations handling personal data under GDPR must consider the risk of data breaches and the associated regulatory consequences. Additionally, sectors relying heavily on web forms for customer interaction, such as finance, healthcare, and public services, could face reputational damage and operational disruption.

1. Immediately review and apply any forthcoming patches or updates from CreatorTeam or Zoho addressing this vulnerability. 2. Implement strict input validation and output encoding on all user-supplied data within Zoho Creator Forms to neutralize malicious scripts before storage or rendering. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the forms. 4. Conduct regular security audits and penetration testing focused on web application inputs and stored content to detect and remediate XSS vectors. 5. Limit user privileges to the minimum necessary to reduce the risk posed by the PR:L vector, and educate users about the risks of interacting with untrusted content. 6. Monitor logs and user activity for unusual behavior that could indicate exploitation attempts. 7. Where possible, segregate form data and application components to contain potential scope changes caused by exploitation. 8. Use web application firewalls (WAFs) configured to detect and block XSS payloads targeting Zoho Creator Forms.