CVE-2025-65858 is a stored Cross-Site Scripting (XSS) vulnerability identified in Calibre-Web version 0.6.25. The vulnerability arises from improper input validation and output encoding of the 'username' field during user creation. Attackers can inject malicious JavaScript payloads into this field, which are then stored persistently in the application database. When an administrator or user accesses the /ajax/listusers endpoint, the malicious script executes in their browser context. This execution can lead to theft of session cookies, enabling account takeover, or can be used to perform actions on behalf of the victim user. Since the vulnerability is stored XSS, the attack surface includes any user or admin who views the affected endpoint. Exploitation does not require authentication, making it accessible to unauthenticated attackers who can create accounts. The lack of a CVSS score indicates this is a newly disclosed vulnerability with no official severity rating yet. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the nature of stored XSS attacks. The vulnerability affects Calibre-Web, an open-source web application used for managing and sharing e-book libraries, which is popular in academic, public, and private digital library environments.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of user data and sessions. Organizations using Calibre-Web to manage digital content or provide user access to e-book collections could face account compromises, unauthorized data access, or manipulation of user privileges. The stored XSS could be leveraged to conduct phishing attacks within the trusted application context, steal authentication tokens, or spread malware. This is particularly concerning for institutions with sensitive or proprietary digital content, such as universities, public libraries, and research centers. The vulnerability could also damage organizational reputation and lead to compliance issues under GDPR if personal data is compromised. Since exploitation does not require authentication, attackers can easily target exposed installations, increasing the likelihood of successful attacks. The absence of a patch means organizations must rely on immediate mitigations to reduce exposure.

1. Implement strict input validation and sanitization on the 'username' field to reject or neutralize any JavaScript or HTML content during user creation. 2. Apply output encoding or escaping on all user-supplied data rendered in the /ajax/listusers endpoint to prevent script execution. 3. Restrict access to the /ajax/listusers endpoint to authorized personnel only, using authentication and role-based access controls. 4. Monitor logs and user creation activity for suspicious patterns indicative of injection attempts. 5. If possible, disable public user registration temporarily until a patch or update is available. 6. Keep Calibre-Web installations updated and subscribe to vendor or community advisories for forthcoming patches. 7. Educate administrators and users about the risks of XSS and encourage the use of security headers like Content Security Policy (CSP) to mitigate script execution risks. 8. Conduct regular security assessments and penetration tests focusing on input handling and stored XSS vulnerabilities.