CVE-2025-63588
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-06

Last updated on: 2025-11-10

Assigner: MITRE

Description
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-06
Last Modified
2025-11-10
Generated
2026-06-16
AI Q&A
2025-11-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63588
EUVD
EUVD-2025-38063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cmsimple-xh cmsimple_xh 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated reflected cross-site scripting (XSS) issue in the query handling of CMSimpleXH. It allows remote attackers to inject and execute arbitrary JavaScript code in a victim's browser by sending a specially crafted request, such as a maliciously crafted POST login.

Impact Analysis

Exploitation of this vulnerability can lead to theft of session cookies, disclosure of credentials, or other client-side impacts, potentially compromising user accounts and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart