Phpgurukul: community verdicts
43 notable / known-exploited Phpgurukul CVEs the community has triaged.
- CVE-2022-29004MED 6.1EPSS 3%
Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.
- CVE-2022-35155MED 6.1EPSS 3%
Bus Pass Management System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the searchdata parameter.
- CVE-2022-29005MED 6.1EPSS 3%
Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.
- CVE-2020-22168HIGH 7.5Real · low riskEPSS 2%
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2022-31384CRIT 9.8Real · low riskEPSS 2%
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.
- CVE-2022-31383CRIT 9.8Real · low riskEPSS 2%
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in view-directory.php.
- CVE-2022-31382CRIT 9.8Real · low riskEPSS 2%
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter in search-dirctory.php.
- CVE-2022-35156CRIT 9.8Real · low riskEPSS 1%
Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php..
- CVE-2023-37687HIGH 7.2Real · low riskEPSS 1%
Online Nurse Hiring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the View Request of Nurse Page in the Admin portal.
- CVE-2022-31897MED 6.1EPSS 1%
SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=.
- CVE-2022-33075MED 5.4EPSS 1%
A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors.
- CVE-2025-45947CRIT 9.8Real · low riskEPSS 1%
An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component
- CVE-2024-53480CRIT 9.8Real · low riskEPSS 1%
Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via the `emailcont` parameter.
- CVE-2020-25487HIGH 7.8Real · low riskEPSS 1%
PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is affected by: SQL Injection via zms/animal-detail.php.
- CVE-2024-51064CRIT 9.8Real · low riskEPSS 1%
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php.
- CVE-2023-37684MED 4.8EPSS 1%
Online Nurse Hiring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Search Report Details of the Admin portal.
- CVE-2023-37685MED 4.8EPSS 1%
Online Nurse Hiring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Search Report Page of the Admin portal.
- CVE-2023-37686MED 4.8EPSS 1%
Online Nurse Hiring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Add Nurse Page in the Admin portal.
- CVE-2023-37683MED 4.8EPSS 1%
Online Nurse Hiring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Profile Page of the Admin.
- CVE-2025-57119CRIT 9.8Real · low riskEPSS 1%
An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges via the adminlogin.php component and the Login function
- CVE-2024-51065CRIT 9.8Real · low riskEPSS 0%
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter.
- CVE-2024-51063CRIT 9.1Real · low riskEPSS 0%
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter.
- CVE-2023-37689MED 4.8EPSS 0%
Maid Hiring Management System v1.0 was discovered to contain a SQL injection vulnerability in the Booking Request page.
- CVE-2023-37688MED 4.8EPSS 0%
Maid Hiring Management System v1.0 was discovered to contain a SQL injection vulnerability in the Admin page.
- CVE-2024-53481MED 6.1EPSS 0%
A Cross Site Scripting (XSS) vulnerability in the profile.php of PHPGurukul Beauty Parlour Management System v1.1 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "Firstname" and "Last name" parameters.
- CVE-2024-51066HIGH 7.5Real · low riskEPSS 0%
An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers.
- CVE-2025-50489HIGH 7.5Real · low riskEPSS 0%
Improper session invalidation in the component /srms/change-password.php of PHPGurukul Student Result Management System v2.0 allows attackers to execute a session hijacking attack.
- CVE-2023-37690MED 4.8EPSS 0%
Maid Hiring Management System v1.0 was discovered to contain a SQL injection vulnerability in the Search Maid page.
- CVE-2025-50492HIGH 7.5Real · low riskEPSS 0%
Improper session invalidation in the component /edms/change-password.php of PHPGurukul e-Diary Management System v1 allows attackers to execute a session hijacking attack.
- CVE-2025-45949CRIT 9.8Real · low riskEPSS 0%
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.
- CVE-2025-50490HIGH 7.5Real · low riskEPSS 0%
Improper session invalidation in the component /elms/emp-changepassword.php of PHPGurukul Student Result Management System v2.0 allows attackers to execute a session hijacking attack.
- CVE-2025-50494HIGH 7.5Real · low riskEPSS 0%
Improper session invalidation in the component /doctor/change-password.php of PHPGurukul Car Washing Management System v1.0 allows attackers to execute a session hijacking attack.
- CVE-2024-53365MED 5.4EPSS 0%
A stored cross-site scripting (XSS) vulnerability was identified in PHPGURUKUL Vehicle Parking Management System v1.13 in /users/profile.php. This vulnerability allows authenticated users to inject malicious XSS scripts into the profile name field.
- CVE-2025-45953CRIT 9.1Real · low riskEPSS 0%
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely
- CVE-2024-53364MED 5.4EPSS 0%
A SQL injection vulnerability was found in PHPGURUKUL Vehicle Parking Management System v1.13 in /users/view-detail.php. This vulnerability affects the viewid parameter, where improper input sanitization allows attackers to inject malicious SQL queries.
- CVE-2025-50486HIGH 7.1Real · low riskEPSS 0%
Improper session invalidation in the component /carrental/update-password.php of PHPGurukul Car Rental Project v3.0 allows attackers to execute a session hijacking attack.
- CVE-2025-50485HIGH 7.1Real · low riskEPSS 0%
Improper session invalidation in the component /crm/change-password.php of PHPGurukul Online Course Registration v3.1 allows attackers to execute a session hijacking attack.
- CVE-2025-50493HIGH 7.5Real · low riskEPSS 0%
Improper session invalidation in the component /doctor/change-password.php of PHPGurukul Doctor Appointment Management System v1 allows attackers to execute a session hijacking attack.
- CVE-2025-50488HIGH 7.1Real · low riskEPSS 0%
Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack.
- CVE-2025-50491HIGH 7.1Real · low riskEPSS 0%
Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack.
- CVE-2025-50487HIGH 7.1Real · low riskEPSS 0%
Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank & Donor Management System v2.4 allows attackers to execute a session hijacking attack.
- CVE-2025-50484HIGH 7.1Real · low riskEPSS 0%
Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack.
- CVE-2025-57145MED 5.4EPSS 0%
A cross-site scripting (XSS) vulnerability exists in the search-autootaxi.php endpoint of the ATSMS web application. The application fails to properly sanitize user input submitted through a form field, allowing an attacker to inject arbitrary JavaScript code. The malicious payload is stored in the backend and executed when a user or administrator accesses the affected report page. This allows attackers to exfiltrate session cookies, hijack user sessions, and perform unauthorized actions in the context of the victims browser.