kiwi865

7 exploits Active since Dec 2025
CVE-2025-63520 WRITEUP MEDIUM WRITEUP
FeehiCMS 2.1.1 - Cross-Site Scripting via User Update ID Parameter
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate).
CVSS 6.1
CVE-2025-63526 WRITEUP HIGH WRITEUP
Blood Bank Management System - Stored Cross-Site Scripting in abs.php msg Parameter
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed.
CVSS 8.5
CVE-2025-63528 WRITEUP HIGH WRITEUP
Blood Bank Management System 1.0 - XSS
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed.
CVSS 8.5
CVE-2025-63529 WRITEUP MEDIUM WRITEUP
Blood Bank Management System 1.0 - Session Fixation
A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account.
CVSS 6.1
CVE-2025-63532 WRITEUP CRITICAL WRITEUP
Blood Bank Management System 1.0 - SQL Injection
A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system.
CVSS 9.6
CVE-2025-63533 WRITEUP HIGH WRITEUP
Blood Bank Management System 1.0 - XSS
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the rname, remail, rpassword, rphone, rcity parameters, which are then executed in the victim's browser when the page is viewed.
CVSS 8.5
CVE-2025-63534 WRITEUP HIGH WRITEUP
Blood Bank Management System 1.0 - XSS
A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg and error parameters, which are then executed in the victim's browser when the page is viewed.
CVSS 8.5