{"id":"CVE-2025-63589","details":"A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.","modified":"2026-03-14T12:45:37.892353Z","published":"2025-11-06T17:15:46.343Z","references":[{"type":"WEB","url":"https://github.com/cmsimple-xh/cmsimple-xh/blob/master/index.php"},{"type":"EVIDENCE","url":"https://github.com/cybercrewinc/CVE-2025-63589"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cmsimple-xh/cmsimple-xh","events":[{"introduced":"0"},{"last_affected":"569ec8e70618892017558dbf5214d8d414322728"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.8.0-NA"}]}}],"versions":["1.6.10","1.7.0","1.7.0beta1","1.7.0rc1","1.7.1","1.7.2","1.7.3","1.7.4","1.7.4RC1","1.7.6","1.7.6RC1","1.8.0","1.8RC1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63589.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}]}