The vulnerability CVE-2025-63611 affects phpgurukul Hostel Management System version 2.1 and involves a stored Cross-Site Scripting (XSS) flaw. Specifically, the issue arises from the 'Explain the Complaint' field in the user complaint submission form (/register-complaint.php), where user input is accepted without proper sanitization or escaping. This input is stored in the backend and later rendered unescaped in the administrator's complaint viewer page (/admin/complaint-details.php?cid=<id>). When an administrator accesses this page, any injected malicious HTML or JavaScript code executes in their browser context. This stored XSS can be exploited by an attacker submitting a crafted complaint to execute arbitrary scripts in the admin's session. Potential consequences include theft of admin session cookies, unauthorized actions performed with admin privileges, defacement, or pivoting further into the system. The vulnerability does not require authentication to submit a complaint, but does require an administrator to view the malicious input for exploitation. No CVSS score has been assigned yet, and no patches or known exploits are publicly available. The vulnerability was reserved in October 2025 and published in January 2026. The lack of output encoding or input validation in the complaint handling workflow is the root cause. This vulnerability is typical of PHP web applications that do not implement secure coding practices for user-generated content.

For European organizations using the phpgurukul Hostel Management System, this vulnerability poses a significant risk to administrative account security and system integrity. Exploitation could lead to compromise of administrator sessions, allowing attackers to gain elevated privileges, access sensitive data, or manipulate hostel management functions. This could disrupt operations, lead to data breaches involving personal information of residents or staff, and damage organizational reputation. Educational institutions, student housing providers, and accommodation services relying on this system are particularly vulnerable. The stored nature of the XSS increases risk since malicious code persists and can affect multiple administrators over time. Additionally, if attackers leverage this access to move laterally within the network, broader organizational impact is possible. The absence of known exploits reduces immediate risk but also means organizations may be unaware of the threat. Without timely mitigation, the vulnerability could be targeted in future campaigns, especially as awareness grows.

To mitigate CVE-2025-63611, organizations should implement strict input validation and output encoding on all user-supplied data fields, especially the complaint submission form. Specifically, the 'Explain the Complaint' field must sanitize inputs to remove or encode HTML and JavaScript content before storage and rendering. Employing a whitelist approach for allowed characters and escaping output using secure libraries or frameworks is critical. Additionally, restrict access to the admin complaint viewer page to trusted IPs or VPN users and enforce multi-factor authentication for administrator accounts to reduce risk from compromised sessions. Regularly audit and monitor logs for suspicious complaint submissions containing script tags or unusual payloads. If possible, update or patch the phpgurukul system once vendor fixes are available. As an immediate workaround, consider disabling the complaint submission feature or the admin complaint viewer until secure handling is implemented. Training administrators to recognize suspicious behavior and report anomalies can also help detect exploitation attempts early.