CVE-2025-65858 identifies a stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web version 0.6.25. The vulnerability arises from improper input sanitization of the 'username' field during user creation, allowing an attacker with authenticated privileges to inject malicious JavaScript code. This malicious payload is stored persistently in the application database and is executed when the /ajax/listusers endpoint is accessed, which likely returns a list of users in a format that renders the injected script. The attack vector requires the attacker to have the ability to create users, indicating a need for at least some level of authenticated access (PR:H). Additionally, user interaction is required to trigger the payload execution (UI:R), as the victim must access the affected endpoint. The vulnerability impacts confidentiality and integrity to a limited extent, as the attacker could potentially steal session tokens or perform actions on behalf of other users within the scope of the application. Availability is not impacted. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N) reflects network attack vector, low attack complexity, high privileges required, user interaction needed, unchanged scope, and low confidentiality and integrity impacts. No patches or known exploits are currently available. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations using Calibre-Web, this vulnerability could allow an attacker with user creation privileges to execute malicious scripts in the context of other users accessing the /ajax/listusers endpoint. This could lead to theft of session cookies, unauthorized actions, or information disclosure limited to the application scope. While the impact is low severity, organizations handling sensitive or proprietary digital content may face risks to data confidentiality and integrity. The requirement for authenticated access and user interaction reduces the likelihood of widespread exploitation but does not eliminate risk in environments with multiple users or less stringent access controls. Additionally, if Calibre-Web is integrated into larger document management or digital library systems, the vulnerability could be leveraged as part of a multi-stage attack. The absence of patches means organizations must rely on mitigations until an official fix is released.

1. Restrict user creation privileges strictly to trusted administrators to reduce the attack surface. 2. Implement input validation and sanitization on the 'username' field to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application. 4. Monitor and audit user creation activities and access to the /ajax/listusers endpoint for suspicious behavior. 5. If possible, disable or restrict access to the /ajax/listusers endpoint until a patch is available. 6. Educate users about the risks of clicking on untrusted links or accessing endpoints that may trigger malicious scripts. 7. Regularly update Calibre-Web to the latest version once patches addressing this vulnerability are released. 8. Consider deploying web application firewalls (WAF) with rules to detect and block XSS payloads targeting this endpoint.