CVE-2025-49346 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Peter Sterling Simple Archive Generator software, affecting all versions up to 5.2. CSRF vulnerabilities allow attackers to trick authenticated users into submitting unwanted requests to a web application, exploiting the user's credentials and session. In this case, the CSRF flaw enables an attacker to inject malicious requests that result in stored Cross-Site Scripting (XSS) payloads being saved within the application. Stored XSS can lead to persistent script execution in the context of other users, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions. The CVSS 3.1 base score of 7.1 reflects a high severity due to network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating the vulnerability affects components beyond the vulnerable software itself, impacting confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). No patches or official fixes are currently available, and no known exploits have been reported in the wild. The vulnerability was reserved in June 2025 and published at the end of 2025. The affected software is typically used for archiving and content management, which may hold sensitive organizational data. The lack of authentication requirements for exploitation increases the risk, especially in environments where users have elevated privileges or access to critical systems. The vulnerability stems from insufficient CSRF protections and inadequate input validation, allowing attackers to craft malicious requests that execute stored XSS payloads, which persist and affect other users.

For European organizations, this vulnerability poses a significant risk to data confidentiality, system integrity, and service availability. Organizations using Simple Archive Generator in sectors such as government, finance, healthcare, or critical infrastructure may face data breaches, unauthorized data manipulation, or service disruptions. Stored XSS can lead to session hijacking, credential theft, or malware distribution within the network. The CSRF aspect allows attackers to bypass normal authentication flows, increasing the attack surface. Given the software's role in archiving, compromised data integrity could affect compliance with GDPR and other data protection regulations, leading to legal and financial repercussions. The requirement for user interaction means phishing or social engineering could be leveraged to trigger attacks. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score indicates that successful exploitation would have serious consequences.

Organizations should immediately assess their use of Peter Sterling Simple Archive Generator and prioritize upgrading to a patched version once available. In the absence of official patches, implement strict CSRF protections such as synchronizer tokens or double-submit cookies to validate request origins. Enforce Content Security Policy (CSP) headers to mitigate the impact of stored XSS. Conduct thorough input validation and output encoding on all user-supplied data to prevent script injection. Limit user privileges to the minimum necessary, reducing the impact of compromised accounts. Employ multi-factor authentication (MFA) to reduce the risk of session hijacking. Monitor logs for unusual request patterns indicative of CSRF or XSS exploitation attempts. Educate users about phishing risks to reduce the likelihood of user interaction-based attacks. Consider isolating or sandboxing the archive generator environment to limit lateral movement in case of compromise.