CVE-2025-57768

Name of the Vulnerable Software and Affected Versions: Phproject versions 1.8.0 through 1.8.2

Description: Phproject is a high performance full-featured project management system. A Stored Cross-Site Scripting (XSS) vulnerability exists in the Planned Hours field when creating a new project. A malicious payload can be crafted and included in the planned hours parameter within a POST request to the /issues/new/ API endpoint. The server reflects the input directly in the HTML of the project creation page, leading to execution of the malicious script.

Recommendations: Update to Phproject version 1.8.3 or later.