CVE-2025-50986 identifies multiple stored cross-site scripting (XSS) vulnerabilities in diskover-web version 2.3.0 Community Edition, specifically within its administrative settings interface. The vulnerability arises because various configuration fields—such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE—do not properly sanitize user-supplied input. This lack of input validation allows an attacker to inject malicious scripts that are persistently stored in the application’s configuration data. When an administrator accesses or edits the settings page, these malicious payloads are executed in the context of the administrator’s browser session. Stored XSS in an administrative interface is particularly dangerous because it can lead to session hijacking, privilege escalation, unauthorized configuration changes, or deployment of further attacks within the internal network. Since the vulnerability affects the administrative interface, exploitation requires the attacker to have some level of access to submit or modify configuration settings, but no user interaction beyond the administrator viewing the settings page is needed for the payload to execute. The vulnerability is currently published without a CVSS score and no known exploits in the wild have been reported as of the publication date. The lack of patch links suggests that a fix may not yet be available or publicly disclosed. The vulnerability is specific to diskover-web v2.3.0 Community Edition, a tool used for file system analytics and management, which integrates with Elasticsearch (indicated by the ES_* configuration parameters).

For European organizations using diskover-web v2.3.0 Community Edition, this vulnerability poses a significant risk to the confidentiality and integrity of administrative operations. Successful exploitation could allow attackers to execute arbitrary JavaScript in the administrator’s browser, potentially leading to theft of authentication tokens, unauthorized changes to system configurations, or pivoting deeper into the network. This could disrupt file system management processes, degrade operational efficiency, or expose sensitive metadata about organizational data stores. Given that diskover-web interfaces with Elasticsearch, manipulation of configuration parameters could also indirectly affect data indexing and search functionalities, impacting availability and data accuracy. The administrative nature of the interface means that exploitation could have a broad scope within affected environments, especially if administrators use shared or less-secure workstations. European organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) could face compliance risks if this vulnerability leads to unauthorized data exposure or system compromise.

Organizations should immediately audit their use of diskover-web v2.3.0 Community Edition and restrict administrative access to trusted personnel and secure environments. Until an official patch is released, administrators should avoid entering untrusted data into configuration fields and consider isolating the management interface from general network access using network segmentation or VPNs. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Monitoring administrative activity logs for unusual changes or access patterns is recommended. Additionally, organizations should follow vendor communications closely for patches or updates addressing this vulnerability. If feasible, upgrading to a later, patched version or applying custom input sanitization at the web server or proxy level could reduce risk. Training administrators on the risks of stored XSS and safe handling of configuration inputs is also advised.