CVE-2025-45805

HIGH

Phpgurukul Doctor Appointment Management System - XSS

Title source: rule

Description

In phpgurukul Doctor Appointment Management System 1.0, an authenticated doctor user can inject arbitrary JavaScript code into their profile name. This payload is subsequently rendered without proper sanitization, when a user visits the website and selects the doctor to book an appointment.

Exploits (1)

nomisec WRITEUP

by mohammed-alsaqqaf · poc

https://github.com/mohammed-alsaqqaf/CVE-2025-45805

View Code ZIP pw:eip

References (3)

[Various Sources] https://github.com/mohammed-alsaqqaf/CVE-2025-45805

[Third Party Advisory] https://github.com/mhsinj/CVE-2025-45805

[Product] https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql

Scores

CVSS v3 7.6

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Details

CWE

CWE-79

Status published

Products (1)

phpgurukul/doctor_appointment_management_system 1.0.0

Published Sep 03, 2025

Tracked Since Feb 18, 2026