CVE-2025-58646 is a medium severity vulnerability classified as CWE-79, which corresponds to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the product Mobi2Go developed by chtombleson, specifically versions up to 1.0.0. The flaw allows for Stored XSS attacks, meaning that malicious input submitted by an attacker is stored by the application and later rendered in web pages without proper sanitization or encoding. When a victim user accesses the affected page, the malicious script executes in their browser context. The CVSS v3.1 base score is 5.9, reflecting a medium severity level. The vector string (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent, as the attacker could potentially steal session tokens, manipulate displayed content, or cause denial of service through script execution. No known exploits are currently reported in the wild, and no patches or fixes are linked yet. The vulnerability was published on September 22, 2025, and reserved earlier that month. Stored XSS vulnerabilities are particularly dangerous because they can affect multiple users and persist until remediated. Given the nature of Mobi2Go as a web-based platform, this vulnerability could be exploited to target users of the system, potentially leading to session hijacking, phishing, or unauthorized actions performed in the context of the victim's session.

For European organizations using Mobi2Go, this vulnerability poses a risk of client-side compromise through malicious script execution. Attackers could leverage the Stored XSS to steal sensitive user information such as authentication tokens, personal data, or manipulate the user interface to conduct phishing attacks. This could lead to unauthorized access to organizational resources or data breaches. The impact extends to the integrity of displayed information and availability if the injected scripts disrupt normal operations. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, or public services, could face compliance violations and reputational damage if exploited. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, especially if insider threats or compromised accounts exist. The need for user interaction means social engineering could be used to trigger the exploit. Overall, the vulnerability could undermine trust in affected web services and lead to operational disruptions or data leakage.

To mitigate this vulnerability, European organizations should implement strict input validation and output encoding on all user-supplied data rendered in web pages within Mobi2Go. Employing a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts. Since no patches are currently available, organizations should consider temporary workarounds such as disabling or restricting features that accept user input or display dynamic content until a fix is released. Conducting regular security audits and penetration testing focused on XSS vectors in Mobi2Go deployments is recommended. Additionally, enforcing the principle of least privilege for user accounts can reduce the risk posed by the high privilege requirement. User awareness training to recognize phishing or suspicious links can help mitigate the risk from required user interaction. Monitoring logs for unusual activity and implementing Web Application Firewalls (WAFs) with XSS detection rules can provide additional layers of defense. Once a patch is released, prompt application of updates is critical.