CVE-2025-40696 is a stored Cross-Site Scripting (XSS) vulnerability identified in version 1.2 of the PHPGurukul Online Fire Reporting System. This vulnerability arises from improper neutralization of user input during web page generation, specifically affecting the 'fullname', 'location', and 'message' parameters submitted via POST requests to the '/ofrs/reporting.php' endpoint. The flaw allows an authenticated remote attacker to inject malicious scripts that are stored on the server and subsequently executed in the browsers of other authenticated users who view the affected content. Because the vulnerability is stored and requires authentication, it can be leveraged to steal session cookies and potentially hijack user sessions, leading to unauthorized access or actions within the application. The vulnerability is classified under CWE-79, indicating improper input sanitization and output encoding. The CVSS v4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required but user interaction is necessary, and the impact is limited to integrity with some scope change. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was assigned by INCIBE and publicly disclosed in September 2025.

For European organizations using the PHPGurukul Online Fire Reporting System, this vulnerability poses a moderate risk. Since the system is designed for fire reporting, it likely contains sensitive operational data and user information. Exploitation could lead to session hijacking of authenticated users, enabling attackers to impersonate legitimate users, manipulate reports, or access confidential information. This could disrupt emergency response workflows, damage organizational reputation, and potentially lead to regulatory non-compliance under GDPR if personal data is compromised. The requirement for user interaction and authentication limits the attack surface somewhat, but insider threats or phishing campaigns could facilitate exploitation. The medium severity score indicates that while the vulnerability is not critical, it still warrants timely remediation to prevent escalation or chaining with other vulnerabilities.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially the 'fullname', 'location', and 'message' fields. Employing a robust web application firewall (WAF) configured to detect and block XSS payloads targeting the '/ofrs/reporting.php' endpoint can provide immediate protection. Since no official patch is available, organizations should consider temporary measures such as disabling or restricting access to the vulnerable reporting functionality to trusted users only. Conducting security awareness training to reduce the risk of phishing or social engineering attacks that could facilitate exploitation is also recommended. Additionally, monitoring application logs for suspicious input patterns and anomalous user behavior can help detect attempted exploitation. Once a patch is released by PHPGurukul, prompt application of updates is essential. Implementing Content Security Policy (CSP) headers can further mitigate the impact of XSS by restricting script execution contexts.