CVE-2025-48291 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Contest Gallery software developed by Wasiliy Strecker. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing an attacker to inject malicious scripts that are persistently stored and executed in the context of other users' browsers. The vulnerability affects versions of Contest Gallery up to 26.0.6, with no lower bound version specified. The CVSS 3.1 base score is 7.1, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect components beyond the vulnerable component. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they represent a significant risk. Stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, and potential pivoting within the affected environment. No known exploits are currently reported in the wild, and no patches or mitigation links are provided in the data. The vulnerability was reserved in May 2025 and published in July 2025, indicating recent discovery and disclosure.

For European organizations using Contest Gallery, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can enable attackers to execute arbitrary JavaScript in the browsers of legitimate users, potentially leading to theft of session cookies, user credentials, and sensitive data. This can facilitate unauthorized access to internal systems or user accounts, data manipulation, and further exploitation. Given the collaborative nature of Contest Gallery, often used for managing and displaying contest or event-related content, attackers could deface content or inject malicious payloads that spread through trusted user interactions. The impact extends to compliance risks under GDPR, as exploitation could lead to unauthorized disclosure of personal data. Additionally, reputational damage and operational disruption could arise if attackers leverage this vulnerability to conduct phishing or social engineering campaigns targeting European users. The requirement for user interaction means phishing or social engineering may be used to trigger the exploit, increasing the risk in environments with less security awareness.

European organizations should implement the following specific mitigations: 1) Immediately assess usage of Contest Gallery and identify affected versions up to 26.0.6. 2) Monitor vendor communications closely for official patches or updates addressing CVE-2025-48291 and apply them promptly once available. 3) In the interim, implement web application firewall (WAF) rules to detect and block typical XSS payloads targeting Contest Gallery endpoints. 4) Conduct thorough input validation and output encoding on all user-supplied data rendered in web pages, especially in custom integrations or extensions of Contest Gallery. 5) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 6) Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful exploitation requiring user interaction. 7) Regularly audit logs and monitor for anomalous activities indicative of XSS exploitation attempts. 8) Consider isolating or sandboxing Contest Gallery instances to limit potential lateral movement if compromise occurs.