CVE-2025-63589

Name of the Vulnerable Software and Affected Versions CMSimple XH version 1.8

Description A reflected Cross-Site Scripting (XSS) issue exists in the index.php router. The issue occurs because attacker-controlled path segments are not properly sanitized or encoded before being included in the generated HTML, specifically in navigation links, breadcrumbs, the search form action, and footer links. An attacker can inject a malicious string into the URL path, which is then reflected into multiple HTML elements, enabling the execution of arbitrary JavaScript code in a victim's browser when they access a specially crafted URL.

Recommendations Update to a newer version that contains a fix for this vulnerability.