Key Information Vulnerability Type Stored Cross-Site Scripting (XSS) Vulnerable Endpoint Parameter Vulnerability Description The application fails to properly validate or sanitize user input in the parameter, allowing attackers to inject malicious scripts that are stored on the server. When the affected page is accessed by a user, the script executes automatically, posing a security risk to the user. PoC (Proof of Concept) Encoded Payload: Decoded Payload: Impact Session hijacking: Stealing cookies or tokens to impersonate users Malware delivery: Script injection to download malicious content Credential theft: Stealing usernames and passwords via forged forms Sensitive data exposure: Access to protected application data 世 Browser takeover: Executing arbitrary commands within the user’s browser session Phishing attacks: Redirecting users to malicious websites or login pages Website defacement: Altering visible content on the platform Reputational damage: Eroding trust in the affected platform References CVE-2025-8509 VulnDB-318608 i-Educar - Official Repository Discoverer Marcelo Queiroz