CVE-2025-48163 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in LambertGroup's SHOUT - HTML5 Radio Player With Ads, which supports ShoutCast and IceCast streaming protocols. The vulnerability arises from improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the affected versions up to 3.5.4 do not adequately sanitize or encode input parameters that are reflected back in the HTML response, allowing an attacker to inject malicious scripts. When a victim user interacts with a crafted URL or input, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS v3.1 base score of 7.1 reflects a network attack vector with low attack complexity, no privileges required, but requiring user interaction. The scope is changed, indicating that exploitation can affect components beyond the vulnerable module, impacting confidentiality, integrity, and availability to a limited extent. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk, especially for web applications embedding this radio player. The lack of available patches at the time of publication further increases exposure.

For European organizations, this vulnerability poses a tangible risk primarily to web platforms integrating the SHOUT HTML5 Radio Player, especially those relying on ShoutCast or IceCast streaming services. Potential impacts include unauthorized access to user sessions, leading to data leakage or manipulation of user accounts. This can erode user trust, cause reputational damage, and potentially violate GDPR requirements concerning personal data protection. Additionally, attackers could leverage the XSS flaw to deliver further malware or conduct phishing attacks targeting European users. Organizations in media, broadcasting, and online entertainment sectors are particularly vulnerable, as they are more likely to deploy this player. The reflected XSS nature means that attacks require user interaction, but given the widespread use of web browsers and the potential for social engineering, the threat remains significant. The vulnerability could also be exploited to pivot into internal networks if combined with other vulnerabilities, increasing the risk to critical infrastructure and services within Europe.

Organizations should immediately audit their web applications to identify instances of the LambertGroup SHOUT HTML5 Radio Player, particularly versions up to 3.5.4. Until an official patch is released, implement strict input validation and output encoding on all parameters reflected in web pages to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of XSS attacks. Additionally, enable HTTPOnly and Secure flags on cookies to protect session tokens from theft via script access. Conduct user awareness training to mitigate the risk of social engineering attacks exploiting this vulnerability. Monitor web traffic for suspicious requests that may indicate exploitation attempts. Finally, maintain close communication with LambertGroup for timely patch releases and apply updates as soon as they become available.