A stored Cross‑Site Scripting flaw resides in the Mobile Number input of the /admin/profile.php page of Phpgurukul Vehicle Record Management System v1.0. By injecting a crafted payload into this field, malicious code can be stored and later served to users who view or edit the profile. The vulnerability allows execution of arbitrary web scripts or HTML in the context of other users, which can lead to session hijacking, defacement, or theft of sensitive data displayed by the application, without granting attacker control over the server itself. This weakness is rooted in improper input handling and output encoding (CWE‑79).

Phpgurukul Vehicle Record Management System version 1.0 is affected. The flaw is located in the admin profile module accessible at /admin/profile.php. No vendor‑supplied patch or newer release is referenced in the available data.

The CVSS score of 4.8 places the issue in the medium range, while an EPSS score below 1 % suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating limited public exploitation. Based on the description, it is inferred that attackers would need to reach the /admin/profile.php endpoint and submit a malicious Mobile Number value, implying that authenticated access or the ability to trick a legitimate administrator is likely required. The attack vector is a web form input, requiring moderate effort and possibly user interaction to trigger the malicious payload.