CVE-2025-40644

Vulnerability

Overview

CVE-2025-40644 is a reflected Cross-Site Scripting (XSS) vulnerability affecting QRGen by Riftzilla, a QR code generation application. The flaw exists in the /article.php script, where the id parameter fails to sanitize user-supplied input. An attacker can craft a malicious URL containing JavaScript code in the id parameter, which, when visited by a victim, will execute in the context of the vulnerable application. This is a classic CWE-79 weakness. [1]

Exploitation

Details

The vulnerability is remotely exploitable without authentication (CVSS v4.0 vector AV:N/AC:L/AT:N/PR:N/UI:A). The attacker must convince the victim to click a specially crafted link, requiring user interaction. No privileged network position is needed; the attack surface is simply the public-facing /article.php endpoint. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal session cookies, capture keystrokes, or perform actions on behalf of the victim within the application's security context, compromising user data and session integrity. [1]

Mitigation

As of the advisory publication date (January 20, 2026), no official patch or workaround has been released by the vendor. The vulnerability remains unaddressed. INCIBE coordinated the disclosure, and the discoverer is Gonzalo Aguilar García (6h4ack). Until a fix is supplied, users should avoid clicking untrusted links and consider using web application firewall rules to filter malicious input. [1]