CVE-2025-40991

Name of the Vulnerable Software and Affected Versions Ekushey CRM version 5.0

Description A stored cross site scripting issue exists in Ekushey CRM version 5.0 due to insufficient validation of user-supplied data. The issue is located in the project file upload functionality via the /ekushey/index.php/client/project file/upload/xxxx API endpoint, specifically through the description parameter submitted via a POST request. Successful exploitation could allow a remote attacker to steal the cookie session details of an authenticated user by sending a malicious query.

Recommendations Apply appropriate input validation and sanitization techniques to the description parameter within the /ekushey/index.php/client/project file/upload/xxxx API endpoint.