CVE-2025-29746: 
PHP vulnerability analysis and mitigation

Cross Site Scripting (XSS) vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components. The vulnerability was discovered in March 2025 and publicly disclosed on May 1, 2025 (GitHub Issue, GitHub Gist). The issue affects multiple components of the application and has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) (NVD).

The vulnerability encompasses both Stored and Reflected XSS variants affecting multiple locations within the application. The vulnerable components include the Collections section (stored XSS in text field during creation/editing), Wishlists section (reflected XSS when adding new wishlists), and Albums section (reflected XSS when adding new albums). The issue stems from improper input validation and output encoding of user-supplied data (GitHub Issue). The vulnerability has been classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

While the impact is partially mitigated by the presence of HTTPOnly cookies preventing session hijacking, the vulnerability could still be exploited for phishing attacks through malicious redirections using window.location payloads. The vulnerability potentially affects data integrity and could lead to user misdirection to malicious sites (GitHub Issue).

The vulnerability has been fixed in version 1.6.11. The recommended mitigation strategy involves filtering input on arrival and encoding data on output. For unpatched systems, there are no documented workarounds (GitHub Gist).