CVE-2025-70891

Name of the Vulnerable Software and Affected Versions Phpgurukul Cyber Cafe Management System version 1.0

Description The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the /add-users.php API endpoint, leading to a stored cross-site scripting issue. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the /view-allusers.php page.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider sanitizing the uadd parameter in the /add-users.php endpoint to prevent the injection of malicious scripts. Restrict access to the user management module to minimize the risk of exploitation.