CVE-2025-8116 identifies a reflected Cross-site Scripting (XSS) vulnerability in the Polska Akademia Dostępności (PAD) CMS, specifically within its printing and save-to-PDF features. This vulnerability affects all three templates provided by the CMS: www, bip, and www+bip. The flaw arises due to improper neutralization of user-supplied input during web page generation, allowing an attacker to craft a malicious URL that injects and executes arbitrary JavaScript code in the victim’s browser upon visiting the link. This type of reflected XSS does not require authentication or elevated privileges but does require user interaction, such as clicking a malicious link. The vulnerability is classified under CWE-79, highlighting the failure to sanitize input properly. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), and limited scope and impact on confidentiality, integrity, and availability. The PAD CMS product is End-Of-Life, and the vendor will not provide patches or updates to remediate this issue, increasing the risk for organizations still using this software. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk for exploitation due to the ease of crafting malicious URLs and the potential for executing arbitrary scripts in users’ browsers. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Given the CMS’s use in Polish institutions and potentially other European organizations, the vulnerability poses a regional threat. The lack of vendor support means organizations must rely on alternative mitigation strategies or consider migrating to supported CMS platforms.

For European organizations, especially those in Poland and neighboring countries where PAD CMS is more likely deployed, this vulnerability poses a moderate risk. Exploitation can lead to unauthorized script execution in users’ browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver further malware. This can compromise confidentiality and integrity of user data and organizational information systems. Public-facing websites using PAD CMS for official or public information dissemination could be defaced or manipulated, damaging organizational reputation and trust. Since the product is End-Of-Life with no patches forthcoming, the risk of prolonged exposure is high. Organizations relying on PAD CMS may face compliance challenges under GDPR if personal data is compromised via this vulnerability. The medium CVSS score reflects moderate impact and ease of exploitation, but the lack of vendor support elevates the operational risk. The threat is particularly relevant for government, educational, and public sector entities using PAD CMS templates (www, bip, www+bip) in Europe.

Given the End-Of-Life status of PAD CMS and absence of vendor patches, European organizations should prioritize migration to supported and actively maintained CMS platforms to eliminate this vulnerability. In the interim, implement strict input validation and output encoding on all user-supplied data, especially in printing and PDF generation functionalities, to prevent script injection. Deploy Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting PAD CMS URLs. Conduct regular security awareness training to educate users about the risks of clicking suspicious links. Restrict or monitor the use of the vulnerable printing and save-to-PDF features if feasible. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor web server logs for unusual URL patterns indicative of exploitation attempts. Finally, ensure incident response plans include procedures for handling XSS incidents and potential data breaches resulting from this vulnerability.