CVE-2025-8116 is a medium-severity reflected Cross-Site Scripting (XSS) vulnerability identified in the Polska Akademia Dostępności (PAD) CMS, a content management system used primarily in Poland. The vulnerability arises from improper neutralization of user input during web page generation, specifically affecting the printing and 'save to PDF' functionalities across all three templates (www, bip, and www+bip). An attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript code in the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability is notable because the PAD CMS product is End-Of-Life (EOL), and no patches will be released by the vendor, leaving all installations permanently exposed unless mitigated by other means. The CVSS 4.0 score of 5.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges or authentication required, but user interaction needed (victim must open the malicious URL). The scope is limited to the vulnerable CMS installations, and no known exploits are currently reported in the wild. The vulnerability is assigned to CWE-79, indicating improper input sanitization leading to XSS.

For European organizations, particularly those in Poland and possibly neighboring countries using PAD CMS, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Exploitation could allow attackers to steal authentication tokens, perform actions on behalf of users, or deliver malware through the victim's browser. Since PAD CMS is often used for public-facing websites, including government or institutional portals, successful exploitation could damage organizational reputation and trust. The lack of vendor patches increases the risk over time, as attackers may develop exploits targeting this vulnerability. While the vulnerability does not directly impact availability, the potential for defacement or malicious redirects could disrupt user access and trust. Organizations relying on PAD CMS for accessibility-related content may face compliance and accessibility challenges if the system is compromised.

Given the EOL status of PAD CMS and absence of official patches, organizations must implement compensating controls. These include: 1) Deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the printing and PDF functionalities. 2) Implementing strict Content Security Policies (CSP) to restrict execution of inline scripts and untrusted sources, mitigating the impact of XSS. 3) Conducting input validation and output encoding at the application or proxy level if possible, to sanitize user inputs before rendering. 4) Educating users to avoid clicking suspicious links and employing browser security features like script blockers. 5) Considering migration to a supported CMS platform to eliminate exposure. 6) Monitoring web server logs for unusual URL patterns indicative of exploitation attempts. 7) Isolating the CMS environment and limiting sensitive data exposure to reduce impact if exploited.