CVE-2025-63589

Published: Nov 6, 2025

Modified: Nov 6, 2025

PUBLISHED

Description

A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/cmsimple-xh/cmsimple-xh/blob/master/index.php

https://github.com/cybercrewinc/CVE-2025-63589

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-63589

Description

Affected Products

References