CVE-2025-63522 identifies a Reverse Tabnabbing vulnerability in FeehiCMS version 2.1.1, located within the Comments Management function. Reverse Tabnabbing is a social engineering attack technique where an attacker exploits the behavior of the target's browser when opening links with target="_blank". By injecting malicious links into comments, an attacker can cause the original page to be replaced with a phishing or malicious site once the user clicks a link, potentially leading to credential theft or further exploitation. The vulnerability requires the attacker to have some privileges (PR:L) and user interaction (UI:R) to be exploited, meaning an attacker must be able to post comments and the victim must click the malicious link. The CVSS score of 4.6 reflects a medium severity, with impacts on confidentiality and integrity but no impact on availability. The vulnerability is categorized under CWE-1021 (Improper Neutralization of Input During Web Page Generation). No patches or known exploits are currently available, but the vulnerability is publicly disclosed as of December 1, 2025. The lack of patch links indicates that organizations must apply manual mitigations or await vendor fixes. The attack surface is limited to FeehiCMS installations running version 2.1.1 with enabled comment management features that allow user-generated content with links. This vulnerability highlights the importance of secure coding practices around user input and link handling in web applications.

For European organizations using FeehiCMS 2.1.1, this vulnerability poses a risk primarily to confidentiality and integrity. Attackers could leverage the vulnerability to conduct phishing attacks, steal user credentials, or redirect users to malicious sites, potentially compromising user accounts or internal systems. While availability is not impacted, the reputational damage and potential data breaches could be significant, especially for organizations handling sensitive user data or operating in regulated sectors such as finance, healthcare, or government. The requirement for some privileges to post comments limits the attacker's initial access, but insider threats or compromised accounts could facilitate exploitation. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits post-disclosure. Organizations relying on FeehiCMS for public-facing websites or community engagement should be particularly vigilant, as user trust and data protection compliance (e.g., GDPR) could be jeopardized.

European organizations should implement the following specific mitigations: 1) Immediately review and restrict privileges related to comment posting to trusted users only, minimizing the risk of malicious content injection. 2) Sanitize and validate all user-generated content rigorously to prevent injection of malicious links or scripts. 3) Modify the CMS or web server configuration to add rel="noopener noreferrer" attributes to all external links opened with target="_blank" to prevent the reverse tabnabbing effect. 4) Monitor comment sections for suspicious links or behavior and employ automated scanning tools to detect malicious URLs. 5) Engage with the FeehiCMS vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 6) Educate users about the risks of clicking links in comments and encourage reporting of suspicious activity. 7) Consider implementing Content Security Policy (CSP) headers to restrict navigation and framing behaviors. These targeted actions go beyond generic advice and address the specific attack vector of reverse tabnabbing in FeehiCMS.