CVE-2025-9170 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice versions up to 2.4.0, specifically within the Tax Rates Module at the /tax/rates endpoint. The vulnerability arises from improper handling of the 'Name' argument in an unknown function, allowing an attacker to inject malicious scripts. This flaw enables remote exploitation without requiring authentication, as the attack vector is network accessible (AV:N) and has low attack complexity (AC:L). The vulnerability does not require privileges (PR:L indicates low privileges, but the CVSS vector shows PR:L, meaning some privileges may be needed; however, the description states remote execution, so likely minimal privileges). User interaction is required (UI:P), meaning the victim must interact with a crafted link or page to trigger the XSS payload. The impact on confidentiality is none (VC:N), integrity is low (VI:L), and availability is none (VA:N), indicating the primary risk is session hijacking, defacement, or phishing via script injection rather than system compromise or data theft. The vendor was contacted but did not respond, and no patches are currently available. Although no known exploits are reported in the wild, public exploit code exists, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1, categorizing this as a medium severity vulnerability.

For European organizations using SolidInvoice for invoicing and tax rate management, this XSS vulnerability could lead to significant risks including session hijacking, theft of user credentials, or injection of malicious scripts that could redirect users to phishing sites or deliver malware. Given that SolidInvoice is a financial tool, exploitation could undermine trust in invoicing processes and potentially expose sensitive financial data indirectly through social engineering attacks. The lack of vendor response and absence of patches increases exposure time. Organizations in Europe relying on SolidInvoice for compliance with VAT and other tax regulations could face operational disruptions and reputational damage if attackers leverage this vulnerability. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal data, and exploitation of this vulnerability could lead to data breaches triggering legal and financial penalties.

Immediate mitigation should include implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the /tax/rates endpoint. Organizations should audit and sanitize all user inputs related to tax rate names manually or via custom code if possible. Restricting access to the affected module to trusted users and limiting exposure to the internet can reduce risk. Monitoring logs for suspicious requests containing script tags or unusual payloads is critical. Since no official patch is available, organizations should consider isolating or disabling the vulnerable functionality temporarily if feasible. Educating users to avoid clicking on suspicious links and employing Content Security Policy (CSP) headers can help mitigate the impact of XSS attacks. Finally, organizations should track vendor communications for any forthcoming patches and plan for prompt application once available.