CVE-2025-65134 Unknown Vendor CVE debrief

Who should care

Administrators and developers responsible for School-management-system 1.0, especially anyone running the /studentms/admin/contact-us.php endpoint on an internet-facing or admin-facing deployment.

Technical summary

The vulnerability is a reflected XSS condition in a web form handler. The supplied CVE description identifies the email POST parameter in /studentms/admin/contact-us.php as the injection point, and NVD classifies the weakness as CWE-79. The listed vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicates network reachability, no privileges required, and user interaction required, with limited confidentiality and integrity impact.

Defensive priority

Medium priority. Treat it as higher priority if the affected endpoint is exposed to untrusted users or is reachable from authenticated administrative workflows.

Recommended defensive actions

• Review /studentms/admin/contact-us.php for reflected input handling and apply context-aware output encoding before rendering any user-supplied data.
• Validate the email POST parameter server-side and reject unexpected characters or formats before processing.
• Add or tighten a Content Security Policy and other browser-side protections as defense in depth.
• Audit similar form handlers in the application for the same reflected XSS pattern.
• If a maintained patched release or fixed fork is available, upgrade to a version that remediates the issue.

Evidence notes

The debrief is based only on the supplied CVE description and official metadata. The description states a reflected XSS in /studentms/admin/contact-us.php via the email POST parameter. NVD metadata supplied in the corpus lists CWE-79, CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and vulnStatus Deferred. The CVE record was published on 2026-04-14 and last modified on 2026-05-10.

Official resources