VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Sep 22, 2025· Updated Apr 29, 2026

CVE-2025-10794

CVE-2025-10794

Description

A flaw has been found in PHPGurukul Car Rental Project 3.0. Affected by this issue is some unknown functionality of the file /carrental/search.php. Executing manipulation of the argument autofocus can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XSS vulnerability in PHPGurukul Car Rental Project 3.0's search.php allows remote attackers to inject scripts via the autofocus parameter.

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Car Rental Project version 3.0. The flaw exists in the /carrental/search.php file, where the autofocus parameter is output directly into the HTML response without proper sanitization or encoding [2]. This allows an attacker to inject arbitrary JavaScript code.

Attackers can exploit this remotely by sending a crafted POST request to the search endpoint. While authentication requirements are unclear, the vulnerability is accessible to unauthenticated users if no session is enforced [2]. The parameter is reflected in a way that triggers script execution when the page is viewed.

Successful exploitation could lead to session hijacking, cookie theft, web page defacement, or phishing attacks, as the injected script runs in the context of the victim's browser [2]. The impact may affect both visitors and authenticated users.

The vulnerability has been publicly disclosed with a proof-of-concept exploit. As of the advisory, no official patch has been released by the vendor [1]. Users are advised to apply input sanitization or consider upgrading to a patched version if available.

References
  1. PHPGurukul Programming Blog
  2. phpgurukul Car Rental Project Project V 3.0 /carrental/search.php Cross-Site Scripting (XSS)

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Phpgurukul/Car Rental Project2 versions
    cpe:2.3:a:phpgurukul:car_rental_project:3.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:phpgurukul:car_rental_project:3.0:*:*:*:*:*:*:*
    • (no CPE)range: 3.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.