Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the a

Description

Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser.

Affected Products

Vendor	Product	Versions
phpgurukul	hostel_management_system	—

References

https://medium.com/@tanushkushtk01/cve-2025-63611-stored-cross-site-scripting-xss-in-hostel-management-system-v2-1-a23c2efc86ea(Exploit, Third Party Advisory)
https://phpgurukul.com/hostel-management-system/(Product)

CVSS 3.18.7 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-79

PublishedJan 8, 2026

Last enriched3d ago

Trending Score0

Source articles0

Independent0

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the a

Description

Affected Products

References

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline