CVE-2025-49130 is a Cross-Site Scripting (XSS) vulnerability identified in the barryvdh laravel-translation-manager package, a tool used to manage Laravel translation files. Versions prior to 0.6.8 of this package improperly neutralize user input during web page generation, specifically failing to correctly validate and sanitize data submitted by authenticated users. This flaw allows an attacker with authenticated access to inject arbitrary HTML or JavaScript code into pages rendered by the translation manager interface. When other users or the same user view these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, theft of sensitive data such as authentication tokens, or unauthorized actions performed on behalf of the user. The vulnerability requires that the attacker already has authenticated access to the translation manager, which typically restricts the attack surface to internal users or compromised accounts. The issue is resolved in version 0.6.8 of the package. The CVSS 4.0 base score is 6.0 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No known exploits are reported in the wild at this time.

For European organizations using the laravel-translation-manager package in versions prior to 0.6.8, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of internal translation management data and user sessions. Since exploitation requires authenticated access, the threat is most significant in environments where user credentials may be compromised or where insider threats exist. Successful exploitation could allow attackers to execute malicious scripts within the context of the translation manager, potentially leading to session hijacking, unauthorized data access, or manipulation of translation files that could affect application behavior or user interfaces. This could disrupt internal workflows or lead to further compromise if attackers leverage the vulnerability as a pivot point. The availability impact is minimal as the vulnerability does not directly cause denial of service. Organizations with extensive use of Laravel and this package in their web applications, especially those with multiple translators or administrators, face higher exposure. The medium severity rating suggests that while the vulnerability is not critical, it warrants timely remediation to prevent escalation or chaining with other vulnerabilities.

1. Immediate upgrade of the laravel-translation-manager package to version 0.6.8 or later is the most effective mitigation. 2. Restrict access to the translation manager interface strictly to trusted and verified users, employing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised credentials. 3. Implement strict input validation and output encoding on any user-supplied data within the translation manager, even beyond the package’s built-in protections, to add defense-in-depth. 4. Monitor logs and user activity within the translation manager for unusual behavior indicative of exploitation attempts, such as unexpected script injections or anomalous translation file changes. 5. Conduct regular security audits and penetration testing focused on internal tools like translation managers to detect similar vulnerabilities. 6. Educate users with access about phishing and credential security to reduce the risk of account compromise. 7. If immediate upgrade is not feasible, consider isolating the translation manager behind additional access controls such as VPNs or IP whitelisting to limit exposure.