CVE-2025-14201 MEDIUM

CVE-2025-14201: alokjaiswal Hotel-Management-services-using-MYSQL-and-php dishsub.php cross site scripting

Vendor Alokjaiswal
Product Hotel-Management-services-using-MYSQL-and-php
Weakness CWE-79 · XSS
Published December 7, 2025
Last update February 24, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

December 7, 2025 CVE published
February 24, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-46995 baserCMS has Cross-site Scripting Vulnerability in HTTP 400 Bad Request CVE-2024-29799 WordPress WP Fast Total Search plugin <= 1.59.211 - Cross Site Scripting (XSS) vulnerability CVE-2023-24403 WordPress bbPress Voting Plugin <= 2.1.11.0 is vulnerable to Cross-Site Scripting (XSS) CVE-2024-10788 Activity Log – Monitor & Record User Changes <= 2.11.1 - Unauthenticated Stored Cross-Site Scripting via Event Context CVE-2024-11945 Email Reminders <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter