CVE-2025-57768 is a stored Cross-Site Scripting (XSS) vulnerability affecting versions 1.8.0 up to but not including 1.8.3 of Alanaktion's phproject, a high-performance project management system. The vulnerability arises from improper neutralization of user input in the Planned Hours field during project creation. Specifically, when a POST request is sent to the /issues/new/ endpoint with a crafted payload in the planned_hours parameter, the server includes this input directly in the HTML response without any encoding or sanitization. This allows an attacker to inject malicious JavaScript code, such as <script>alert(1)</script>, which the victim's browser will execute when rendering the project creation page. Because the vulnerability is stored, the malicious script persists on the server and can affect multiple users who access the affected page. The vulnerability requires no authentication or user interaction to exploit, as the crafted payload is reflected and stored by the server and executed automatically when the page is loaded. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v4.0 base score of 6.9 (medium severity), with an attack vector of network, low attack complexity, no privileges or user interaction required, and limited scope impact. The vulnerability was publicly disclosed on August 21, 2025, and fixed in version 1.8.3 of phproject. No known exploits are currently reported in the wild.

For European organizations using phproject versions between 1.8.0 and 1.8.2, this vulnerability poses a significant risk to the confidentiality and integrity of their web applications. An attacker exploiting this XSS flaw could execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. Since phproject is a project management tool, compromised accounts could expose sensitive project data, internal communications, and planning information, which could have operational and reputational consequences. The stored nature of the XSS increases the risk as malicious scripts persist and affect multiple users. Although the vulnerability does not directly impact availability, the indirect effects of compromised user accounts and data leakage can disrupt business processes. European organizations with public-facing or internally accessible phproject instances are particularly at risk, especially if they have not applied the patch or implemented input sanitization controls. The lack of required authentication for exploitation increases the threat surface, allowing external attackers to target vulnerable installations remotely.

1. Immediate upgrade to phproject version 1.8.3 or later, where the vulnerability is fixed. 2. If upgrading is not immediately possible, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the planned_hours parameter, focusing on script tags and suspicious input patterns. 3. Employ input validation and output encoding at the application level to ensure that all user-supplied data, especially in the Planned Hours field, is properly sanitized and HTML-encoded before rendering. 4. Conduct a thorough audit of existing project entries to identify and remove any malicious scripts that may have been injected prior to patching. 5. Educate users and administrators about the risks of XSS and encourage vigilance when interacting with project management tools. 6. Monitor logs and network traffic for unusual POST requests to /issues/new/ that may indicate exploitation attempts. 7. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing phproject instances.