CVE-2025-50977

Name of the Vulnerable Software and Affected Versions: versions prior to 1.7.1

Description: A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified, requiring authenticated admin access for exploitation. The vulnerability exists in the r parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the /summary endpoint as well as POST requests to specific Wicket interface endpoints.

Recommendations: Update to a version prior to 1.7.1. Restrict access to the r parameter in the /summary endpoint. Limit authenticated admin access to reduce the potential impact of exploitation.