CVE-2025-46825 is a stored Cross-Site Scripting (XSS) vulnerability affecting Kanboard, a project management software that implements the Kanban methodology. The vulnerability exists in versions 1.2.26 through 1.2.44 within the 'name' parameter of the ProjectCreationController's create action (accessed via the URL pattern http://localhost/?controller=ProjectCreationController&action=create). An attacker can inject malicious scripts into this parameter, which are then stored and subsequently rendered in web pages viewed by other users. This stored XSS can lead to the execution of arbitrary JavaScript in the context of the victim's browser session. However, the default Content Security Policy (CSP) implemented by Kanboard mitigates this risk by blocking JavaScript execution. The vulnerability can still be exploited if the instance is misconfigured, particularly if it allows unsafe CSS injection due to the use of 'unsafe-inline' in the CSP, which can bypass the JavaScript restrictions. Version 1.2.45 of Kanboard addresses and fixes this vulnerability. The CVSS 4.0 base score is 1.3, reflecting a low severity primarily because exploitation requires user interaction, no privileges, and the default CSP reduces the attack surface. No known exploits are currently reported in the wild. The vulnerability is categorized under CWE-79, indicating improper neutralization of input during web page generation, a common vector for XSS attacks.

For European organizations using Kanboard versions 1.2.26 to 1.2.44, this vulnerability poses a risk of stored XSS attacks that could lead to session hijacking, defacement, or unauthorized actions performed on behalf of legitimate users. While the default CSP reduces the likelihood of successful exploitation, misconfigurations or relaxed CSP policies can enable attackers to bypass these protections. The impact is particularly relevant for organizations that rely on Kanboard for project management and collaboration, as compromised user sessions could lead to data leakage, unauthorized project modifications, or lateral movement within the internal network. Given that Kanboard is often self-hosted, the risk is heightened if instances are exposed to the internet without proper security hardening. The low CVSS score indicates limited impact under default configurations, but the potential for exploitation increases in environments with weak CSP enforcement or where CSS injection is possible. This vulnerability does not affect system availability or integrity directly but compromises confidentiality and user trust.

European organizations should immediately upgrade Kanboard installations to version 1.2.45 or later, where the vulnerability is patched. Administrators must review and enforce strict Content Security Policies, avoiding the use of 'unsafe-inline' directives that weaken CSP effectiveness. Regularly audit CSP configurations to ensure they block inline scripts and disallow unsafe CSS injections. Implement input validation and sanitization on all user-supplied data, especially parameters like 'name' in project creation forms. Conduct security assessments and penetration testing on Kanboard instances to detect any residual XSS or configuration weaknesses. Limit exposure of Kanboard instances to internal networks or VPNs to reduce attack surface. Additionally, monitor logs for suspicious activity indicative of attempted XSS exploitation. Educate users about the risks of clicking on untrusted links or executing unexpected scripts within the Kanboard interface. Finally, maintain an up-to-date inventory of software versions and apply security patches promptly.