The vulnerability arises from improper neutralization of input during web page generation in Thales Sentinel LDK Runtime for Windows. An attacker can inject malicious scripts that are stored and later rendered in a victim’s browser, allowing execution of arbitrary JavaScript. This stored Cross‑Site Scripting can lead to session hijacking, theft of confidential information, and defacement or manipulation of the user interface. The weakness is classified as CWE‑79, indicating an XSS flaw that compromises the confidentiality and integrity of any data accessed through the affected page.

The issue affects the Sentinel LDK Runtime product from Thales on Windows platforms. All releases prior to version 10.22 are vulnerable. This includes any deployment of the LDK Runtime that processes user‑supplied input without proper sanitization, regardless of deployment size or tenant environment.

The CVSS score of 7 signals a high severity, meaning the flaw could have significant impact if exploited. No EPSS score is published, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known publicly available exploits yet, but the potential for exploitation remains. Attackers could leverage the web interface that stores user data to deliver malicious payloads; the ability to perform the attack remotely, coupled with the stored nature of the data, makes it attractive to threat actors who have the capacity to inject content that will be served to other users.