CVE-2025-57538 is a stored cross-site scripting (XSS) vulnerability identified in the HTTP Proxy field within the Datacenter configuration panel of Proxmox Virtual Environment (PVE) version 8.4. This vulnerability allows an authenticated user to inject malicious JavaScript code into the configuration interface. Because the input is stored persistently, the malicious script executes in the browsers of other users who access the affected configuration page. This results in arbitrary JavaScript execution within the context of the victim's session, potentially enabling actions such as session hijacking, credential theft, or unauthorized operations within the Proxmox management interface. The vulnerability requires the attacker to have authenticated access with at least limited privileges (as indicated by the CVSS vector: PR:L), and user interaction is necessary since the victim must view the compromised configuration page. The vulnerability affects confidentiality and integrity but does not impact availability. The CVSS score is 5.4 (medium severity), reflecting the moderate risk posed by the vulnerability given the authentication and user interaction requirements. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may rely on configuration changes or monitoring until official fixes are released. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input leading to XSS attacks.

For European organizations using Proxmox Virtual Environment 8.4, this vulnerability poses a risk primarily to the confidentiality and integrity of their virtualization management environment. Proxmox is widely used in data centers and enterprise environments for managing virtual machines and containers. Successful exploitation could allow malicious insiders or compromised accounts to execute arbitrary scripts, potentially leading to session hijacking, privilege escalation, or unauthorized configuration changes. This could disrupt virtualization management workflows, expose sensitive infrastructure details, or facilitate lateral movement within the network. Given the administrative nature of the affected interface, the impact could extend to critical infrastructure components managed via Proxmox. European organizations with multi-tenant environments or those relying on Proxmox for cloud or private data center virtualization are particularly at risk. The requirement for authentication and user interaction limits remote exploitation but does not eliminate insider threat or targeted attack scenarios. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation once details become public.

1. Restrict access to the Proxmox Datacenter configuration panel strictly to trusted and necessary personnel to minimize the risk of malicious input injection. 2. Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the likelihood of compromised accounts being used to exploit this vulnerability. 3. Monitor and audit configuration changes and user activities within the Proxmox environment to detect suspicious behavior indicative of exploitation attempts. 4. Until an official patch is released, consider applying input validation or sanitization proxies or web application firewalls (WAFs) that can detect and block malicious script injections targeting the HTTP Proxy field. 5. Educate administrators and users about the risk of stored XSS and encourage cautious behavior when accessing configuration pages, especially if unexpected or suspicious content is observed. 6. Regularly check for updates from Proxmox and apply security patches promptly once available. 7. If feasible, isolate the management interface from general network access using network segmentation or VPNs to reduce exposure. 8. Review and harden role-based access controls (RBAC) within Proxmox to limit the number of users with privileges to modify the Datacenter configuration.