CVE-2025-60249 is a medium-severity Cross-Site Scripting (XSS) vulnerability identified in version 2.16.0 of the CIRCL vulnerability-lookup application. The vulnerability arises from improper neutralization of user-supplied input during web page generation, specifically within the Bundles, Comments, and Sightings components of the application. In these components, untrusted data is rendered directly into HTML templates and tables using unsafe innerHTML assignments without adequate sanitization or validation. This unsafe handling allows an authenticated user with privileges to add bundles, comments, or sightings to inject arbitrary JavaScript code into the application interface. The vulnerability stems from insufficient validation of dynamic URLs and model fields, as well as the use of innerHTML instead of safer DOM manipulation methods. Successful exploitation could lead to the execution of malicious scripts in the context of other users’ browsers, potentially resulting in session hijacking, unauthorized actions, or data theft within the application. The vulnerability has been addressed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and enhancing input validation in the affected models. The CVSS v3.1 base score is 6.4, reflecting a network-exploitable vulnerability requiring low privileges but no user interaction, with partial impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild.

For European organizations using CIRCL vulnerability-lookup 2.16.0, this XSS vulnerability poses a risk of unauthorized script execution within the application’s user interface. Given that the vulnerability requires authenticated user privileges to add content, the threat primarily concerns insider threats or compromised user accounts. Exploitation could allow attackers to hijack sessions, manipulate displayed data, or perform unauthorized actions on behalf of other users, undermining data integrity and confidentiality. This could be particularly impactful for security teams relying on vulnerability-lookup for managing and sharing sensitive vulnerability intelligence, potentially leading to misinformation, data leakage, or disruption of security workflows. The vulnerability does not affect availability directly but could degrade trust in the platform. European organizations with stringent data protection regulations (e.g., GDPR) may face compliance risks if sensitive information is exposed or manipulated. Additionally, the collaborative nature of CIRCL’s platform means that exploitation could propagate malicious scripts across multiple users and organizations, amplifying the impact.

To mitigate this vulnerability, European organizations should promptly upgrade CIRCL vulnerability-lookup to a version where the issue is fixed, or apply vendor-provided patches if available. In the absence of immediate patches, organizations should implement strict input validation and sanitization on all user-supplied data before rendering it in the UI. Replace any use of innerHTML with safer DOM manipulation methods such as textContent or createElement to prevent injection of executable code. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. Limit the privileges of users who can add bundles, comments, or sightings to trusted personnel only, and monitor logs for suspicious activity indicative of exploitation attempts. Conduct regular security audits and penetration testing focused on input handling and client-side scripting vulnerabilities. Educate users about the risks of XSS and encourage reporting of unusual application behavior. Finally, ensure that URL encoding functions like encodeURIComponent are consistently used when handling dynamic URLs to prevent injection via crafted links.