CVE-2025-5757 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the code-projects Traffic Offense Reporting System, specifically within the /save-reported.php file. The vulnerability arises due to improper sanitization or validation of multiple input parameters including offence_id, vehicle_no, driver_license, name, address, gender, officer_reporting, and offence. An attacker can craft malicious input in these parameters that, when processed by the application, results in the injection and execution of arbitrary JavaScript code in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, though it requires user interaction (e.g., a victim clicking a malicious link or submitting a crafted form). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited impact on integrity (VI:L) with no impact on confidentiality or availability. The exploit has been publicly disclosed but there are no known exploits actively observed in the wild. The vulnerability could allow attackers to steal session cookies, perform actions on behalf of users, or conduct phishing attacks by injecting malicious scripts into the application interface. Given the nature of the affected system—traffic offense reporting—such attacks could undermine trust in law enforcement reporting systems and potentially expose sensitive personal data if combined with other vulnerabilities or social engineering.

For European organizations, especially governmental or municipal agencies responsible for traffic law enforcement and reporting, this vulnerability poses a risk to the integrity and trustworthiness of their digital services. Exploitation could lead to unauthorized actions performed in the context of legitimate users, potentially disrupting traffic offense processing workflows. Additionally, if attackers leverage the XSS to steal session tokens or credentials, they could gain further unauthorized access to sensitive data, including personal information of drivers and officers. This could result in privacy violations under GDPR, reputational damage, and legal consequences. The medium severity suggests that while the vulnerability is not critical, it still represents a meaningful risk, particularly in environments where the affected software is used to process sensitive or regulated data. The remote exploitability and lack of required privileges increase the attack surface, making it accessible to a wide range of threat actors. The absence of known active exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as exploit code is publicly available.

Organizations should prioritize patching or upgrading the Traffic Offense Reporting System to a version that addresses this XSS vulnerability once available. In the absence of an official patch, immediate mitigations include implementing robust input validation and output encoding on all user-supplied data fields, particularly those listed as vulnerable parameters. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the sources from which scripts can be loaded. Web Application Firewalls (WAFs) configured to detect and block common XSS payloads can provide an additional layer of defense. Regular security audits and code reviews focusing on input sanitization should be conducted. User awareness training to recognize phishing attempts that might leverage this vulnerability is also recommended. Finally, monitoring logs for unusual activity or repeated attempts to exploit these parameters can help detect and respond to attacks promptly.