CVE-2025-64260 identifies a reflected Cross-site Scripting (XSS) vulnerability in the Marco Milesi ANAC XML Bandi di Gara product, a software solution used for managing public procurement notices and tenders. The vulnerability stems from improper neutralization of input during web page generation, which allows malicious actors to inject and execute arbitrary JavaScript code in the context of the victim’s browser. This reflected XSS occurs when untrusted input is included in web responses without adequate sanitization or encoding, enabling attackers to craft URLs or web requests that, when visited by users, execute malicious scripts. Such scripts can hijack user sessions, steal cookies, manipulate page content, or perform actions on behalf of the user without their consent. The affected versions include all releases up to and including version 7.7, with no specific earlier versions identified. No CVSS score has been assigned yet, and no public exploits have been reported, but the vulnerability is publicly disclosed and considered exploitable. The vulnerability does not require authentication, increasing its risk profile, but it does require user interaction, such as clicking a malicious link. The software is primarily used in public sector procurement contexts, making government agencies and contractors potential targets. The lack of available patches at the time of disclosure necessitates immediate mitigation through input validation, output encoding, and security headers like Content Security Policy (CSP) to reduce exploitation risk.

The impact of CVE-2025-64260 on European organizations can be significant, especially for public sector entities involved in procurement and tender management that rely on the ANAC XML Bandi di Gara software. Exploitation of this reflected XSS vulnerability could lead to unauthorized access to sensitive procurement data, session hijacking, and potential manipulation of tender information, undermining the integrity and confidentiality of procurement processes. This could result in reputational damage, legal consequences due to data protection regulations such as GDPR, and financial losses from disrupted procurement activities. Additionally, attackers could use the vulnerability as a foothold to conduct further attacks within the network or to deliver malware. The requirement for user interaction means that phishing or social engineering campaigns could be used to exploit the vulnerability, increasing the risk to end users and administrators. Given the critical nature of public procurement systems in Europe, the vulnerability poses a threat to operational continuity and trust in public institutions.

To mitigate CVE-2025-64260, European organizations should take the following specific actions: 1) Monitor vendor communications closely and apply security patches or updates as soon as they become available for ANAC XML Bandi di Gara. 2) Implement strict input validation on all user-supplied data to ensure that potentially malicious characters are sanitized before processing. 3) Employ robust output encoding techniques, such as HTML entity encoding, to neutralize any injected scripts before rendering content in browsers. 4) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5) Conduct user awareness training focused on recognizing phishing attempts and suspicious links to reduce the likelihood of user interaction with malicious payloads. 6) Use web application firewalls (WAFs) configured to detect and block common XSS attack patterns targeting the affected application. 7) Regularly audit and review application logs for unusual activity that could indicate attempted exploitation. 8) Consider isolating or segmenting the affected application environment to limit lateral movement in case of compromise.