CVE-2025-68991 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the BWL Pro Voting Manager software developed by xenioushk, affecting versions up to and including 1.4.9. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious actors to inject and execute arbitrary JavaScript code within the victim’s browser environment. This type of XSS is client-side and occurs when the web application uses unsafe methods to process and reflect user input in the Document Object Model (DOM) without adequate sanitization or encoding. The vulnerability does not require authentication (AV:N) but does require user interaction (UI:R), such as clicking a crafted link or visiting a malicious page. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially impacting the entire user session or other parts of the application. The impact includes limited confidentiality and integrity loss (C:L, I:L) but no availability impact (A:N). The CVSS 3.1 base score is 6.1, categorizing it as medium severity. No known exploits have been reported in the wild, and no official patches or updates have been linked at the time of publication. The vulnerability is particularly concerning for organizations relying on BWL Pro Voting Manager for online voting or polling, as exploitation could lead to session hijacking, unauthorized actions, or manipulation of voting results. The lack of patches necessitates immediate mitigation through secure coding practices, input validation, and deployment of security controls such as Content Security Policy (CSP).

For European organizations, the impact of CVE-2025-68991 can be significant, especially for entities that utilize BWL Pro Voting Manager for electronic voting, polling, or decision-making processes. Exploitation of this DOM-based XSS vulnerability could allow attackers to execute arbitrary scripts in users’ browsers, potentially leading to session hijacking, theft of sensitive information such as authentication tokens, or manipulation of voting data integrity. Although the vulnerability does not directly affect system availability, the compromise of confidentiality and integrity can undermine trust in electronic voting systems and lead to reputational damage, legal consequences, and loss of stakeholder confidence. The medium severity rating indicates a moderate risk, but the strategic importance of voting systems in democratic processes elevates the potential impact. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, increasing the attack surface. Organizations involved in public administration, political parties, or civic engagement platforms in Europe should be particularly vigilant.

To mitigate CVE-2025-68991 effectively, European organizations should implement the following specific measures: 1) Apply strict input validation and sanitization on all user-supplied data before it is processed or reflected in the DOM, using secure coding libraries or frameworks that automatically handle encoding. 2) Deploy a robust Content Security Policy (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 3) Educate users and administrators about the risks of clicking untrusted links or interacting with suspicious content, as exploitation requires user interaction. 4) Monitor web application logs and user behavior for signs of suspicious activity indicative of XSS exploitation attempts. 5) If possible, isolate the voting manager application in a sandboxed environment or use browser security features like SameSite cookies to limit session hijacking risks. 6) Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 7) Conduct regular security assessments and penetration testing focused on client-side vulnerabilities to identify and remediate similar issues proactively.