LOWCVE-2025-1957CVSS 3.5

CVE-2025-1957: XSS in Blood Bank System 1.0

Platform

php

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

CVE-2025-1957 identifies a problematic cross-site scripting (XSS) vulnerability within the Blood Bank System, specifically affecting versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data integrity. A patch, version 1.0.1, has been released to address this vulnerability.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-1957 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the Blood Bank System's web interface. The attacker could potentially steal sensitive patient data or manipulate blood bank records, depending on the application's functionality and user privileges. Given the nature of XSS, the impact can be significant, particularly if the application handles sensitive information or is integrated with other systems.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the potential impact on sensitive data warrants immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.12% (30% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

Vendorcode-projects

Affected rangeFixed in

1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2025-03-04
Published2025-03-04
Modified2025-03-05
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2025-1957 is to immediately upgrade the Blood Bank System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Bloodname parameter within the /BBfile/Blood/o+.php file. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the Bloodname parameter and verifying that it is properly sanitized or blocked.

How to fix

Update to a patched version of the Blood Bank System. If a patched version is not available, sanitize user inputs, especially the Bloodname parameter, to prevent the execution of malicious JavaScript code. Implement security measures such as output encoding and input validation.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-1957 — XSS in Blood Bank System?

CVE-2025-1957 is a cross-site scripting (XSS) vulnerability in Blood Bank System versions 1.0–1.0, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-1957 in Blood Bank System?

Yes, if you are running Blood Bank System version 1.0–1.0, you are affected by this vulnerability.

How do I fix CVE-2025-1957 in Blood Bank System?

Upgrade to version 1.0.1 or implement input validation and output encoding on the Bloodname parameter.

Is CVE-2025-1957 being actively exploited?

While no active campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.

Where can I find the official Blood Bank System advisory for CVE-2025-1957?

Refer to the Blood Bank System project's official website or repository for the advisory related to CVE-2025-1957.