CVE-2025-50043 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Jordy Meow Code Engine product up to version 0.3.2. The vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be stored and later executed in the context of users' browsers. This type of vulnerability typically occurs when user-supplied input is not correctly sanitized or encoded before being embedded in web pages, enabling attackers to inject arbitrary JavaScript code. The CVSS 3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The scope change means the vulnerability affects components beyond the initially vulnerable component, potentially impacting other system parts or users. Exploitation requires an attacker to have some level of privileges on the system and to trick a user into interacting with a crafted payload, which then executes in the victim's browser session. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The lack of available patches at the time of publication suggests that users of affected versions should prioritize mitigation and monitoring. The vulnerability affects the Code Engine product, which is a web-based platform or framework developed by Jordy Meow, likely used for code generation or web application development. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users over time once injected.

For European organizations using Jordy Meow Code Engine, this vulnerability could lead to significant security risks including unauthorized access to sensitive data, session hijacking, and potential lateral movement within internal networks if attackers leverage the XSS to escalate privileges or deploy further attacks. The medium severity rating reflects moderate impact, but the changed scope and requirement for user interaction mean that targeted phishing or social engineering campaigns could amplify the risk. Organizations in sectors with high reliance on web applications—such as finance, healthcare, and government—may face increased exposure due to the potential for data leakage or disruption of services. Additionally, the persistence of stored XSS can lead to prolonged exploitation windows if not promptly addressed. The vulnerability could also undermine user trust and compliance with European data protection regulations (e.g., GDPR) if personal data is compromised through exploitation.

Implement strict input validation and output encoding on all user-supplied data within the Code Engine environment to prevent injection of malicious scripts. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing affected applications. Enforce least privilege principles to limit the number of users with write or administrative access to the Code Engine platform, reducing the risk of initial injection. Conduct regular security code reviews and penetration testing focused on XSS vulnerabilities within applications built using Code Engine. Monitor web application logs and user activity for unusual behavior indicative of XSS exploitation attempts, such as unexpected script execution or anomalous requests. Educate users about the risks of interacting with unsolicited links or inputs that could trigger stored XSS payloads, emphasizing cautious behavior. Stay updated with Jordy Meow vendor communications for patches or updates addressing this vulnerability and apply them promptly once available. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Code Engine applications.