CVE-2025-49395 is a medium severity vulnerability classified as CWE-79, indicating an Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the Themify Icons product developed by themifyme, specifically versions up to 2.0.3. The flaw allows an attacker to inject malicious scripts that are stored and later executed in the context of the victim's browser when they access a compromised page. The vulnerability is a Stored XSS, meaning the malicious payload is saved on the server side and delivered to users without proper sanitization or encoding. The CVSS 3.1 score is 6.5, reflecting a medium severity with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity, requires low privileges and user interaction, and impacts confidentiality, integrity, and availability to a limited extent. The scope is changed, indicating the vulnerability affects components beyond the initially vulnerable module. Stored XSS can lead to session hijacking, defacement, phishing, or malware distribution, compromising user trust and data security. No known exploits are currently reported in the wild, and no patches are linked yet, suggesting the vulnerability is newly disclosed or under investigation. The vulnerability was reserved in June 2025 and published in August 2025, indicating recent discovery and disclosure.

For European organizations using Themify Icons, particularly in web environments such as content management systems or e-commerce platforms, this vulnerability poses a significant risk. Exploitation can lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver malicious payloads. This can result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Given the cross-site scripting nature, the impact extends to any user interacting with affected web pages, potentially including employees, partners, and customers. The medium severity score reflects a moderate but tangible risk, especially in environments where user privileges are elevated or sensitive data is handled. The requirement for low privileges and user interaction means attackers could leverage social engineering or compromised accounts to trigger the exploit. The changed scope indicates that the vulnerability might affect multiple components or services within the affected systems, increasing the attack surface. European organizations with public-facing websites or intranet portals using Themify Icons should be particularly vigilant.

Organizations should immediately audit their use of Themify Icons and identify all instances of the affected versions (up to 2.0.3). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data rendered by Themify Icons components. Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of injected scripts. Regularly scan web applications with specialized tools to detect stored XSS vulnerabilities. Limit user privileges to the minimum necessary to reduce the risk of exploitation requiring low privileges. Educate users about the risks of interacting with suspicious links or content that could trigger XSS attacks. Monitor web server and application logs for unusual activity indicative of exploitation attempts. Once a patch is available, prioritize timely deployment across all affected systems. Additionally, consider implementing Web Application Firewalls (WAFs) with rules targeting XSS attack patterns to provide an additional layer of defense.