{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-65136", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T18:04:46.651Z", "dateReserved": "2025-11-18T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:08:18.744Z"}, "descriptions": [{"lang": "en", "value": "In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:04:13.480033Z", "id": "CVE-2025-65136", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:04:46.651Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-65136", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T18:04:13.480033Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:04:41.027Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md"}], "descriptions": [{"lang": "en", "value": "In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:08:18.744Z"}}}, "cveMetadata": {"cveId": "CVE-2025-65136", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:04:46.651Z", "dateReserved": "2025-11-18T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter."}], "id": "CVE-2025-65136", "lastModified": "2026-04-17T15:33:34.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T16:16:34.640", "references": [{"source": "cve@mitre.org", "url": "https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "school-management-system", "vendor": "manikandan580"}], "analysis": {"en": {"generated_at": "2026-04-14T20:49:01.575316+00:00", "value": {"mitigation_remediation": ["Apply the patched version of the School\u2011management\u2011system as described in the advisory at https://github.com/TREXNEGRO/Security\u2011Advisories/blob/main/CVE-2025-65136/README.md", "If an update is unavailable, ensure that the pagedes POST parameter is sanitized and that any dynamic content is properly encoded before rendering to prevent script execution", "Deploy a Web Application Firewall or input validation libraries to detect and block malicious payloads targeting the contact\u2011us page"], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Version\u202f1.0 of the School\u2011management\u2011system developed by the user manikandan580 is impacted. No other vendors or products are listed as affected.", "description_and_impact": "An attacker can submit a malicious script via the pagedes POST parameter on the /studentms/admin/contact\u2011us.php page. The page echoes the supplied value back to the browser without proper filtering, allowing the payload to execute in the context of the victim\u2019s session. This can lead to session hijacking, credential theft, defacement, or execution of arbitrary code within the victim\u2019s browser. The issue is a classic reflected XSS weakness (CWE\u201179).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.1, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly documented exploits yet. The likely attack path requires the attacker to send a crafted POST request to the contact\u2011us page, from which the malicious JavaScript is returned to the victim\u2019s browser. The impact is limited to browsers that load the echoed value and does not automatically grant system compromise beyond the user\u2019s session."}}}}, "created": "2026-04-15T15:30:06.834674+00:00", "title": "Reflected Cross\u2011Site Scripting in School Management System Contact Page", "updated": "2026-04-15T21:03:12.490200+00:00", "vendors": ["manikandan580", "manikandan580$PRODUCT$school-management-system"]}