CVE-2025-9755
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Khanakag-17 Library Management System up to 60ed174506094dcd166e34904a54288e5d10ff24. This affects an unknown function of the file /index.php. The manipulation of the argument msg leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9755
EUVD
EUVD-2025-26318
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
khanakag-17 library_management_system to 2025-08-23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Reflected Cross-Site Scripting (XSS) flaw in the Khanakag-17 Library Management System, specifically in the 'msg' parameter of the /index.php file. It occurs because the application does not properly sanitize or neutralize user input before reflecting it back in the web page. This allows an attacker to inject and execute arbitrary JavaScript code in the victim's browser when they interact with a crafted URL. [1, 2]

Impact Analysis

Exploitation of this vulnerability can lead to execution of arbitrary JavaScript code in a victim's browser. This can result in theft of session cookies or sensitive information, website defacement, malicious redirection to other sites, and enable further client-side attacks. The attack can be performed remotely without authentication but requires user interaction. [1, 2]

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP GET request to the vulnerable endpoint with a script injection in the 'msg' parameter and observing if the script executes in the response. For example, you can use curl to test it: curl -i 'http://<target>/Library-Manager/library_Project/index.php?msg=<script>alert("XSS")</script>'. If a JavaScript alert box appears in the browser or the response contains the injected script, the system is vulnerable. Additionally, attackers may use Google dorking with queries like 'inurl:index.php' to identify potentially vulnerable targets. [1, 2]

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and output encoding for all user-supplied parameters, especially the 'msg' parameter, to prevent script injection. Using frameworks or libraries that automatically escape HTML special characters is recommended. Applying a Content Security Policy (CSP) can also reduce the impact of injected scripts. Since no specific patches or updates are available due to the rolling release model, consider replacing the affected product with a secure alternative if possible. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart