CVE-2025-63611
Published: 08 January 2026
Summary
CVE-2025-63611 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Phpgurukul Hostel Management System. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-provided inputs in the complaint field to prevent storage of malicious HTML/JavaScript.
Directly requires filtering of stored complaint outputs when rendered in the admin viewer to prevent execution of injected scripts.
Requires identification and correction of the specific flaw in /register-complaint.php and /admin/complaint-details.php that allows unescaped storage and rendering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary script execution in admin browser context, directly facilitating browser session hijacking and web session cookie theft.
NVD Description
Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser.
Deeper analysisAI
CVE-2025-63611 is a stored cross-site scripting (XSS) vulnerability, mapped to CWE-79, affecting phpgurukul Hostel Management System version 2.1. The flaw occurs in user-provided complaint fields, specifically the "Explain the Complaint" input submitted via /register-complaint.php. These values are stored without escaping and rendered directly in the admin interface at /admin/complaint-details.php?cid=<id>, enabling injected HTML or JavaScript to execute in an administrator's browser when viewing the complaint details.
The vulnerability can be exploited by a low-privileged user (PR:L) over the network (AV:N) with low complexity (AC:L), though it requires administrator interaction (UI:R) to view the malicious complaint. Upon execution, the attack changes scope (S:C), granting high confidentiality and integrity impacts (C:H/I:H) with no availability disruption (A:N), as reflected in its CVSS v3.1 base score of 8.7. This allows attackers to run arbitrary scripts in the admin's session context, potentially leading to session hijacking or further compromise.
Advisories and references, including a detailed analysis on Medium and the official project page at phpgurukul.com/hostel-management-system/, provide further context on the issue, published on 2026-01-08T16:15:45.057. Practitioners should consult these for any recommended patches or workarounds specific to the software.
Details
- CWE(s)