CVE-2025-62798 identifies a Cross-Site Scripting (XSS) vulnerability in the code16/sharp content management framework, specifically in versions prior to 9.11.1. Sharp is a Laravel package used to build content management systems, and the vulnerability resides in the SharpShowTextField component. This component renders content by evaluating expressions wrapped in {{ & }} using the Vue.js framework. Due to improper input neutralization, an attacker with at least limited privileges (PR:L) and requiring user interaction (UI:R) can inject malicious JavaScript or HTML code. When the vulnerable field is displayed in a user's browser, the injected script executes, potentially allowing theft of session tokens, manipulation of displayed content, or other malicious actions that compromise confidentiality and integrity. The vulnerability does not affect system availability. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, and user interaction. No known exploits have been reported in the wild. The issue was addressed in version 9.11.1 by properly sanitizing or escaping input before rendering, preventing Vue from evaluating arbitrary expressions. Organizations using Sharp versions below 9.11.1 should upgrade promptly and audit any custom fields that may be vulnerable to injection attacks.

For European organizations, this vulnerability poses a risk primarily to web applications built using the code16/sharp framework on Laravel. Successful exploitation can lead to unauthorized disclosure of sensitive information such as session cookies or user data, undermining confidentiality. Attackers could also alter the integrity of displayed content, potentially misleading users or facilitating phishing attacks. Although availability is not impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations relying on Sharp for content management in customer-facing or internal portals are at risk, especially if users with limited privileges can inject malicious scripts that execute in other users’ browsers. The need for user interaction reduces the likelihood of automated widespread exploitation but does not eliminate targeted attacks. Given the widespread use of Laravel in Europe, particularly in countries with strong software development sectors, the impact could be notable if patches are not applied.

1. Upgrade all instances of code16/sharp to version 9.11.1 or later immediately to apply the official fix. 2. Review and sanitize all user inputs that are rendered using SharpShowTextField or similar components, ensuring no untrusted data is evaluated as Vue expressions. 3. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. 4. Conduct code audits focusing on template rendering and input handling to identify any other instances where Vue expressions might be improperly evaluated. 5. Educate developers and administrators about the risks of injecting untrusted content into templates and the importance of escaping or sanitizing inputs. 6. Monitor web application logs and user reports for suspicious activity that could indicate attempted exploitation. 7. Employ web application firewalls (WAFs) with rules targeting XSS payloads as an additional layer of defense.