CVE-2025-65892 is a reflected cross-site scripting (rXSS) vulnerability identified in krpano, a software commonly used for displaying panoramic images on web platforms. The vulnerability exists in versions prior to 1.23.2 and stems from insufficient sanitization of user-supplied input passed to the passQueryParameters function when the xml parameter is enabled. An attacker can craft a malicious URL containing JavaScript payloads that, when visited by a victim, execute arbitrary scripts within the victim’s browser context. This attack vector does not require authentication or prior user interaction beyond clicking or visiting the malicious URL. The impact of such an attack includes stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the victim within the vulnerable web application. Although no exploits have been reported in the wild yet, the vulnerability's nature makes it a significant risk, especially for web applications that rely on krpano for interactive media content. The absence of a CVSS score indicates the need for an expert severity assessment, which considers the vulnerability’s potential for widespread exploitation and impact on confidentiality and integrity. The vulnerability is particularly relevant for organizations that integrate krpano into their customer-facing portals or internal tools, as attackers could leverage this flaw to compromise user data or disrupt services.

For European organizations, this vulnerability poses a risk primarily to web applications and services that utilize krpano for panoramic image rendering or interactive media. Exploitation could lead to unauthorized disclosure of sensitive user information, session hijacking, and potential defacement or redirection attacks. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data leakage), and cause operational disruptions. Sectors such as tourism, real estate, education, and digital media—where krpano is more likely deployed—may face higher risks. The reflected XSS nature means that phishing campaigns could be enhanced by embedding malicious krpano URLs, increasing the attack surface. Although no active exploits are known, the vulnerability’s presence in publicly accessible web assets increases the likelihood of future exploitation attempts. The impact on availability is limited but the confidentiality and integrity of user sessions and data are significantly threatened.

The primary mitigation is to upgrade krpano to version 1.23.2 or later, where this vulnerability is patched. Organizations should audit their web applications to identify any use of krpano and verify the version in use. Implement strict input validation and sanitization on all user-supplied parameters, especially those passed to passQueryParameters and the xml parameter. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Additionally, consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious URL patterns targeting this vulnerability. Educate users and administrators about the risks of clicking unknown links and monitor web traffic for unusual requests that may indicate exploitation attempts. Regularly review and update security controls and conduct penetration testing focused on XSS vulnerabilities in web applications using krpano.