CVE-2025-9171 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice, an open-source invoicing application, affecting versions up to and including 2.4.0. The vulnerability resides in the Clients Module, specifically within an unknown function handling the 'Name' argument in the /clients endpoint. Improper input sanitization or encoding allows an attacker to inject malicious scripts remotely by manipulating this parameter. The vulnerability can be exploited without authentication (as indicated by the CVSS vector's PR:L, meaning low privileges required) and does not require user interaction, although the CVSS vector indicates UI:P (user interaction required), suggesting some level of user involvement may be necessary to trigger the payload. The flaw impacts the confidentiality and integrity of client data by enabling script execution in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vendor has not responded to disclosure attempts, and no official patch or mitigation guidance has been released. The CVSS 4.0 base score is 5.1, categorizing the vulnerability as medium severity. The exploit code has been publicly released, increasing the risk of exploitation, although no widespread exploitation has been observed yet. The vulnerability does not affect system availability directly but poses a significant risk to user data and trust in the application.

For European organizations using SolidInvoice for client invoicing and financial management, this vulnerability poses a tangible risk to the confidentiality and integrity of sensitive client information. Exploitation could lead to unauthorized access to client data, manipulation of invoice details, or theft of session cookies, potentially resulting in financial fraud or reputational damage. Given the remote exploitability and public availability of exploit code, attackers could target European businesses, especially small and medium enterprises (SMEs) that rely on SolidInvoice for cost-effective invoicing solutions. The lack of vendor response and patch availability exacerbates the risk, as organizations may remain exposed for extended periods. Additionally, regulatory frameworks such as the EU's GDPR impose strict requirements on protecting personal data, and exploitation of this vulnerability could lead to compliance violations and associated penalties. The medium severity rating suggests moderate impact, but the real-world consequences could be significant depending on the deployment context and the sensitivity of the invoiced data.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, restrict access to the /clients endpoint through network-level controls such as IP whitelisting or VPN-only access to limit exposure. Second, implement web application firewalls (WAFs) with custom rules to detect and block typical XSS payload patterns targeting the 'Name' parameter. Third, conduct thorough input validation and output encoding on any user-supplied data within the application if source code modification is feasible. Fourth, educate users to recognize suspicious behaviors and avoid clicking on untrusted links that could trigger XSS payloads. Finally, monitor logs for unusual activity related to client data access and consider isolating or migrating to alternative invoicing solutions with active security maintenance. Organizations should also prepare for rapid patch deployment once a vendor fix becomes available and consider engaging with the vendor or community for updates.