CVE-2025-60149 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Notely application developed by Michael Ott. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. This flaw allows an attacker with high privileges and requiring user interaction to inject malicious scripts that are persistently stored within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. The CVSS 3.1 base score is 5.9, reflecting a network attack vector with low attack complexity but requiring privileges and user interaction. The vulnerability affects Notely versions up to 1.8.0, though exact affected versions are not fully enumerated. No patches or known exploits in the wild have been reported as of the publication date (September 26, 2025). Stored XSS vulnerabilities are particularly dangerous because they can impact multiple users and persist over time, increasing the attack surface. The scope is changed (S:C), indicating that exploitation could affect resources beyond the initially vulnerable component, potentially impacting confidentiality, integrity, and availability at a limited level.

For European organizations using Notely, this vulnerability poses a risk of unauthorized script execution within their internal or external note-taking environments. The impact includes potential data leakage, session hijacking, and unauthorized actions performed on behalf of legitimate users, which could compromise sensitive organizational information. Given that Notely is a note-taking application, it may be used to store confidential business data, project details, or personal information, making exploitation impactful for confidentiality and integrity. The requirement for high privileges to exploit somewhat limits the threat to insiders or compromised accounts, but user interaction is still needed, which may be feasible through social engineering. The vulnerability could also be leveraged in targeted attacks against European organizations, especially those with collaborative workflows relying on Notely. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits post-disclosure. Overall, the vulnerability could disrupt business operations and erode trust in internal communication tools if exploited.

Organizations should immediately audit their Notely deployments and upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on all user-generated content within Notely to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS payloads. Limit user privileges to the minimum necessary to reduce the risk of high-privilege exploitation. Conduct user awareness training to recognize and avoid social engineering attempts that could trigger the stored XSS. Regularly monitor application logs for suspicious input patterns or unusual user activities indicative of exploitation attempts. Consider isolating Notely instances from critical network segments to contain potential breaches. Finally, engage with the vendor or community to track patch releases and apply them promptly.