CVE-2025-65892 is a reflected Cross-Site Scripting vulnerability identified in krpano, a software platform widely used for creating interactive panoramic images and virtual tours. The flaw exists in versions before 1.23.2 within the passQueryParameters function when the xml parameter is enabled. An attacker can craft a specially designed URL that, when visited by a victim, causes the victim's browser to execute arbitrary JavaScript code. This type of vulnerability is classified under CWE-79, indicating improper neutralization of input leading to script injection. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R) such as clicking a malicious link. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity partially (C:L/I:L) but does not impact availability (A:N). Since krpano is often embedded in websites or applications delivering panoramic content, this vulnerability could be exploited to steal session cookies, perform phishing, or manipulate displayed content, potentially compromising user data or trust. No patches are linked yet, but upgrading to version 1.23.2 or later is recommended once available. No known exploits have been reported in the wild, but the medium CVSS score indicates a moderate risk that should be addressed proactively.

For European organizations, especially those in digital media, tourism, real estate, and education sectors that utilize krpano for immersive content, this vulnerability poses a risk of client-side script injection leading to session hijacking, credential theft, or phishing attacks. The reflected XSS can undermine user trust and potentially expose sensitive user data or enable further attacks via the victim’s browser. Although it does not directly impact system availability, the compromise of user confidentiality and integrity can have reputational and regulatory consequences, particularly under GDPR. Organizations relying on krpano embedded in customer-facing portals or internal tools should consider the risk of targeted phishing campaigns exploiting this vulnerability. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly once details are public.

Organizations should immediately verify if they use krpano versions prior to 1.23.2 and plan to upgrade to version 1.23.2 or later once available. Until a patch is applied, implement strict input validation and output encoding on any user-controllable parameters passed to krpano, especially the xml parameter in passQueryParameters. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Educate users about the risks of clicking untrusted links and monitor web traffic for suspicious URL patterns targeting krpano components. Web application firewalls (WAFs) can be tuned to detect and block reflected XSS attempts targeting this vulnerability. Additionally, review and limit the exposure of krpano interfaces to only trusted users or networks where feasible. Regularly audit and test web applications embedding krpano to detect any residual XSS risks.