CVE-2025-62989 identifies a stored Cross-site Scripting (XSS) vulnerability in Boxy Studio's Cooked product, versions up to 1.11.2. The root cause is improper neutralization of input during web page generation, categorized under CWE-79. Stored XSS occurs when malicious scripts injected by an attacker are permanently stored on the server (e.g., in a database) and later executed in the browsers of users who access the affected pages. This vulnerability allows an attacker with authenticated access to inject malicious JavaScript code that executes in the context of other users' browsers, potentially leading to session hijacking, data theft, or unauthorized actions. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) indicates that the attack is network-based, requires low attack complexity, but demands high privileges and user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The impacts include limited confidentiality, integrity, and availability losses. No known exploits are currently in the wild, and no official patches have been linked, indicating that mitigation relies on configuration and coding best practices until a patch is released. The vulnerability was reserved in late October 2025 and published at the end of December 2025, suggesting recent discovery. Organizations using Cooked for web content should prioritize input validation, output encoding, and user privilege management to reduce risk.

For European organizations, this vulnerability poses a moderate risk primarily to web applications using Boxy Studio Cooked for content management or web publishing. Exploitation could lead to unauthorized script execution in users’ browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. This can compromise user data confidentiality and integrity and potentially disrupt service availability. Given the requirement for authenticated access and user interaction, insider threats or compromised accounts increase risk. Organizations handling sensitive or personal data under GDPR must consider the regulatory implications of data breaches resulting from such XSS attacks. The medium CVSS score reflects a balanced risk, but the potential for chained attacks or privilege escalation could amplify impact. European entities with public-facing web portals or intranet systems using Cooked are particularly vulnerable, especially if patching is delayed or mitigations are not implemented.

1. Immediately audit and restrict user privileges to minimize the number of users with high-level access capable of injecting content. 2. Implement strict input validation on all user-supplied data, ensuring that potentially dangerous characters are sanitized or rejected before storage. 3. Apply robust output encoding (e.g., HTML entity encoding) when rendering user-generated content to prevent script execution in browsers. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS. 5. Monitor logs and user activity for unusual behavior indicative of attempted exploitation. 6. Segregate web application components to limit scope and impact if compromise occurs. 7. Stay updated with Boxy Studio advisories and apply patches promptly once available. 8. Conduct regular security testing, including automated scanning and manual code reviews focusing on input handling. 9. Educate users about phishing and social engineering risks that could facilitate exploitation via user interaction. 10. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Cooked.