CVE-2025-47618 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the Mortgage Calculator BMI Adult & Kid Calculator application, affecting versions up to 1.2.2. This vulnerability arises due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode input parameters before reflecting them in the HTML response, enabling an attacker to inject malicious scripts. When a victim clicks on a crafted URL containing the malicious payload, the script executes in the victim's browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. The CVSS 3.1 base score of 7.1 reflects a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability can impact resources beyond the vulnerable component, with low confidentiality, integrity, and availability impacts (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved on May 7, 2025, and published on May 23, 2025. The affected product is a specialized calculator tool used for mortgage and BMI calculations, which may be embedded or integrated into financial or health-related websites or applications.

For European organizations, the impact of this reflected XSS vulnerability depends largely on the deployment context of the Mortgage Calculator BMI Adult & Kid Calculator. If integrated into websites or portals accessed by European users, attackers could exploit this vulnerability to execute malicious scripts in users' browsers, leading to session hijacking, credential theft, or unauthorized actions. This could compromise user data confidentiality and integrity, damage organizational reputation, and potentially lead to regulatory non-compliance under GDPR if personal data is exposed or mishandled. Financial institutions or health service providers using this calculator may face increased risk due to the sensitivity of their data and the trust users place in their platforms. The requirement for user interaction (clicking a malicious link) somewhat limits the exploitation scope but does not eliminate risk, especially in phishing-prone environments. The reflected nature of the XSS means attacks are transient and rely on social engineering, but the changed scope indicates potential for broader impact if chained with other vulnerabilities or misconfigurations.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply strict input validation and output encoding on all user-supplied data reflected in web pages, using context-appropriate encoding (HTML entity encoding, JavaScript encoding, etc.). Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Conduct thorough code reviews and penetration testing focused on input handling in the affected application. If possible, disable or replace the vulnerable Mortgage Calculator BMI Adult & Kid Calculator component until a vendor patch is available. Educate users and staff about phishing risks to reduce the likelihood of successful exploitation requiring user interaction. Monitor web server logs and application behavior for suspicious requests or anomalies indicative of attempted XSS exploitation. Finally, maintain up-to-date backups and incident response plans tailored to web application attacks.