CVE-2025-9656 Overview
CVE-2025-9656 is a stored cross-site scripting (XSS) vulnerability affecting PHPGurukul Directory Management System 2.0. The flaw resides in /admin/add-directory.php, where the fullname parameter is not sanitized before being processed by the application. An attacker can inject malicious JavaScript that executes in the browser of any user who views the affected directory entry.
The vulnerability requires user interaction and can be triggered remotely across the network. Public disclosure of the exploit has occurred through VulDB and a GitHub issue tracker, increasing the likelihood of opportunistic abuse against exposed instances.
Critical Impact
Attackers can inject persistent JavaScript through the fullname field, enabling session hijacking, credential theft, or administrative account compromise when other users load the affected page.
Affected Products
- PHPGurukul Directory Management System 2.0
- Deployments referencing cpe:2.3:a:phpgurukul:directory_management_system:2.0
- Web applications exposing /admin/add-directory.php
Discovery Timeline
- 2025-08-29 - CVE-2025-9656 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9656
Vulnerability Analysis
The vulnerability is classified under [CWE-79], improper neutralization of input during web page generation. PHPGurukul Directory Management System 2.0 accepts the fullname argument through the /admin/add-directory.php endpoint and stores it without proper sanitization or output encoding. When the stored value is later rendered in the administrative interface, browser-executed script payloads embedded in the field are interpreted as active content.
Cross-site scripting in an administrative interface elevates impact because sessions in that context typically hold higher privileges. An attacker abusing this flaw can execute JavaScript in the context of an authenticated administrator, redirect requests, exfiltrate session cookies, or manipulate application state through forged actions.
Exploitation requires network access to the vulnerable endpoint and user interaction to trigger the payload. No authentication material is required to submit the crafted fullname value in vulnerable deployments where the endpoint is reachable.
Root Cause
The root cause is missing input validation and output encoding on the fullname request parameter handled by /admin/add-directory.php. The application trusts client-supplied text and reflects or persists it into HTML contexts without escaping characters such as <, >, ", and '.
Attack Vector
An attacker submits a crafted request to /admin/add-directory.php containing a JavaScript payload in the fullname parameter. When an administrator or user opens the corresponding page, the browser parses and executes the injected script under the origin of the vulnerable application. The exploit has been publicly disclosed, lowering the barrier for reuse.
No verified proof-of-concept code is available in the referenced advisories. Technical details are described in the associated GitHub Issue Tracking and VulDB entry #321864.
Detection Methods for CVE-2025-9656
Indicators of Compromise
- POST requests to /admin/add-directory.php containing HTML tags, javascript: URIs, or event handlers such as onerror= and onload= inside the fullname parameter.
- Directory records whose fullname field contains <script>, <img>, or <svg> markup.
- Outbound requests from administrator browsers to unknown domains immediately after loading directory pages.
Detection Strategies
- Inspect application and web server logs for encoded payload markers in the fullname parameter, including %3Cscript%3E, %3Cimg, and onerror%3D.
- Deploy a web application firewall rule set that flags common XSS signatures targeting form fields submitted to PHPGurukul admin endpoints.
- Perform database queries against directory tables to identify stored values containing HTML tags or JavaScript pseudo-protocols.
Monitoring Recommendations
- Alert on anomalous administrative sessions producing outbound HTTP requests shortly after directory pages are viewed.
- Track repeated submissions to /admin/add-directory.php from a single source address as a potential exploitation attempt.
- Correlate cookie theft indicators such as session reuse from disparate IP addresses following directory record submissions.
How to Mitigate CVE-2025-9656
Immediate Actions Required
- Restrict access to /admin/add-directory.php to trusted administrative IP ranges using web server or firewall rules.
- Audit all existing directory entries for stored HTML or JavaScript content and remove malicious records.
- Enforce strong session controls, including short session lifetimes and HttpOnly cookie attributes, to reduce the impact of script execution.
Patch Information
No vendor patch is referenced in the available advisories. Consult the PHP Gurukul Resource for vendor communications and the VulDB CTI entry for tracking updates. Until an official fix is issued, apply compensating controls at the application and network layers.
Workarounds
- Place the application behind a web application firewall configured to block XSS payloads in POST parameters.
- Implement server-side input validation that rejects angle brackets and script-related keywords in the fullname field.
- Apply output encoding in templates that render directory records, escaping HTML special characters before display.
- Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources.
# Example nginx rule to block obvious XSS payloads in the fullname parameter
location /admin/add-directory.php {
if ($request_method = POST) {
if ($request_body ~* "fullname=[^&]*(<|%3C)(script|img|svg|iframe)") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

