How to fix CVE-2025-63528?

Within 24 hours: Disable public access to the blooddinfo.php component or restrict it to authenticated users only; audit access logs for exploitation attempts. Within 7 days: Implement WAF rules to block malicious payloads in the error parameter; notify all users of the vulnerability and advise against using the affected feature. Within 30 days: Evaluate alternative blood bank management solutions; engage the vendor for patch timeline or consider migrating to patched version once available.

Is PHP affected by CVE-2025-63528?

A critical XSS vulnerability in the Blood Bank Management System allows attackers to inject malicious code that executes in users' browsers, potentially enabling credential theft, session hijacking, or unauthorized access to sensitive blood bank records.

CVE-2025-63528

EUVD-2025-199997 HIGH

2025-12-01 [email protected]

8.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 13:34 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 13:34 euvd

EUVD-2025-199997

PoC Detected

Dec 02, 2025 - 03:04 vuln.today

Public exploit code

CVE Published

Dec 01, 2025 - 15:15 nvd

HIGH 8.5

Description

A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed.

Analysis

Technical Context

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

Affected Products

Affected products: Shridharshukl Blood Bank Management System 1.0

Remediation

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +42

POC: +20

CVE-2025-63528 vulnerability details – vuln.today

Back

CVE-2025-63528

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-63528

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code