CVE-2025-40989

Name of the Vulnerable Software and Affected Versions Ekushey CRM version 5.0

Description A stored Cross Site Scripting issue exists due to insufficient validation of user-supplied data. The issue is located in the /ekushey/index.php/client/project message/add/xxx API endpoint, specifically through the message parameter submitted via a POST request. Successful exploitation could allow a remote attacker to send a malicious query to an authenticated user, potentially leading to the theft of their cookie session details.

Recommendations Apply appropriate input validation and sanitization techniques to the message parameter in the /ekushey/index.php/client/project message/add/xxx API endpoint.