CVE-2025-62528 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in the open source qualitative research tool Taguette, specifically in versions prior to 1.5.0. The vulnerability arises from improper neutralization of input during web page generation, where a project member can inject arbitrary JavaScript code into the name or description fields of a project. When the project is loaded, this malicious script executes in the context of the victim's browser session. The attack vector requires the attacker to have authenticated access as a project member, but no additional user interaction (such as clicking) is necessary once the project is loaded. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, data theft, or manipulation of displayed content. Availability is not affected. The issue was addressed and patched in Taguette version 1.5.0 by implementing proper input sanitization and output encoding to prevent script execution. No known exploits have been reported in the wild, but the vulnerability presents a moderate risk due to the ease of exploitation by insiders or compromised accounts. The CVSS v3.1 base score is 5.4, reflecting network attack vector, low attack complexity, required privileges (project member), no user interaction, and limited impact on confidentiality and integrity. This vulnerability highlights the importance of input validation in collaborative web applications handling sensitive research data.

For European organizations, especially academic institutions, research centers, and NGOs using Taguette for qualitative data analysis, this vulnerability poses a risk of unauthorized data exposure and session hijacking. Malicious project members or attackers who gain project member credentials could inject scripts to steal sensitive research data, manipulate project content, or perform actions on behalf of legitimate users. This could lead to breaches of confidentiality, loss of data integrity, and potential reputational damage. Although availability is not impacted, the compromise of research data confidentiality may violate data protection regulations such as GDPR, resulting in legal and financial consequences. The collaborative nature of Taguette means that multiple users accessing the same project could be exposed to the malicious script, amplifying the risk. Organizations relying on open source tools without strict update policies may be particularly vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target unpatched vulnerabilities in niche research tools.

The primary mitigation is to upgrade all Taguette installations to version 1.5.0 or later, where the vulnerability is patched. Organizations should enforce strict access controls to limit project membership to trusted individuals and regularly review member permissions. Implementing web application firewalls (WAFs) with rules to detect and block suspicious script injections can provide additional protection. Input validation and output encoding should be enforced at the application level if custom deployments or forks exist. Monitoring logs for unusual activity related to project fields can help detect attempted exploitation. Educating users about the risks of injecting untrusted content and maintaining an incident response plan for potential data breaches are also recommended. For organizations hosting Taguette internally, applying security hardening best practices such as network segmentation and multi-factor authentication for user accounts will reduce the risk of credential compromise. Regular vulnerability scanning and patch management processes should include open source tools like Taguette to ensure timely updates.