CVE-2025-58873 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the pusheco Pushe Web Push Notification product, affecting versions up to 0.5.0. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing malicious actors to inject and store arbitrary JavaScript code. When other users or administrators access the affected pages, the malicious script executes in their browsers within the context of the vulnerable domain. The CVSS v3.1 base score is 5.9, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability losses, as the attacker can execute scripts that may steal session tokens, manipulate page content, or perform actions on behalf of the user. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability requires an attacker to have high privileges and to trick a user into interacting with the malicious payload, which somewhat limits exploitation but does not eliminate risk. Stored XSS is particularly dangerous because the malicious payload persists on the server and can affect multiple users over time.

For European organizations using Pushe Web Push Notification, this vulnerability poses a risk of session hijacking, unauthorized actions, or data leakage through malicious script execution in users’ browsers. Given that push notifications often integrate with customer-facing websites or internal dashboards, exploitation could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations if personal data is exposed), and potential financial losses. The requirement for high privileges to inject the payload suggests insider threats or compromised administrator accounts are the most likely attack vectors. However, once injected, any user accessing the affected pages could be impacted. This could disrupt business operations, especially if the push notification system is critical for customer engagement or internal communications. The scope change in the CVSS vector indicates that the vulnerability could affect other components or data beyond the immediate application, increasing the potential impact. European organizations must be vigilant, particularly those in sectors with strict data protection requirements or high reliance on web-based notification systems.

Organizations should prioritize the following mitigations: 1) Immediately audit and restrict administrative access to the Pushe Web Push Notification system to minimize the risk of privilege abuse. 2) Implement strict input validation and output encoding on all user-supplied data rendered in web pages, following OWASP XSS prevention guidelines. 3) Deploy Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script sources. 4) Monitor logs for unusual administrative activities or injection attempts. 5) Isolate the push notification system from critical internal networks to limit lateral movement if compromised. 6) Engage with the vendor or community to obtain patches or updates as soon as they become available and apply them promptly. 7) Conduct regular security assessments and penetration tests focusing on web application vulnerabilities, including stored XSS. 8) Educate users and administrators about phishing and social engineering risks that could facilitate exploitation. These steps go beyond generic advice by emphasizing access control, proactive monitoring, and layered defenses tailored to the nature of this vulnerability.