CVE-2025-41734 - Unauthenticated Local File Inclusion in php module
CVE ID : CVE-2025-41734
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41734
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41735 - Possible arbitrary file upload
CVE ID : CVE-2025-41735
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41735
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41736 - Possible arbitrary code execution
CVE ID : CVE-2025-41736
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41736
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41737 - Improper access control via php endpoint
CVE ID : CVE-2025-41737
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41737
Published : Nov. 18, 2025, 11:15 a.m. | 2 hours, 31 minutes ago
Description : Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9312 - Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products
CVE ID : CVE-2025-9312
Published : Nov. 18, 2025, 12:05 p.m. | 1 hour, 41 minutes ago
Description : A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms—such as Mutual TLS OAuth client authentication and X.509 login flows—are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9312
Published : Nov. 18, 2025, 12:05 p.m. | 1 hour, 41 minutes ago
Description : A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms—such as Mutual TLS OAuth client authentication and X.509 login flows—are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13343 - SourceCodester Interview Management System editQuestion.php cross site scripting
CVE ID : CVE-2025-13343
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A security flaw has been discovered in SourceCodester Interview Management System 1.0. Affected is an unknown function of the file /editQuestion.php. The manipulation of the argument Question results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13343
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A security flaw has been discovered in SourceCodester Interview Management System 1.0. Affected is an unknown function of the file /editQuestion.php. The manipulation of the argument Question results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13344 - SourceCodester Train Station Ticketing System ajax.php sql injection
CVE ID : CVE-2025-13344
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A weakness has been identified in SourceCodester Train Station Ticketing System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13344
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A weakness has been identified in SourceCodester Train Station Ticketing System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13345 - SourceCodester Train Station Ticketing System ajax.php sql injection
CVE ID : CVE-2025-13345
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A security vulnerability has been detected in SourceCodester Train Station Ticketing System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_ticket. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13345
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A security vulnerability has been detected in SourceCodester Train Station Ticketing System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_ticket. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41348 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
CVE ID : CVE-2025-41348
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41348
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41349 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
CVE ID : CVE-2025-41349
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41349
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41350 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
CVE ID : CVE-2025-41350
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41350
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6670 - Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services
CVE ID : CVE-2025-6670
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6670
Published : Nov. 18, 2025, 12:15 p.m. | 1 hour, 31 minutes ago
Description : A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8084 - AI Engine <= 3.1.8 - Authenticated (Editor+) Server-Side Request Forgery
CVE ID : CVE-2025-8084
Published : Nov. 18, 2025, 12:29 p.m. | 1 hour, 17 minutes ago
Description : The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the rest_helpers_create_images function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8084
Published : Nov. 18, 2025, 12:29 p.m. | 1 hour, 17 minutes ago
Description : The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the rest_helpers_create_images function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13346 - SourceCodester Train Station Ticketing System ajax.php sql injection
CVE ID : CVE-2025-13346
Published : Nov. 18, 2025, 12:32 p.m. | 1 hour, 15 minutes ago
Description : A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=save_station. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13346
Published : Nov. 18, 2025, 12:32 p.m. | 1 hour, 15 minutes ago
Description : A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=save_station. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13347 - SourceCodester Train Station Ticketing System ajax.php sql injection
CVE ID : CVE-2025-13347
Published : Nov. 18, 2025, 1:02 p.m. | 45 minutes ago
Description : A flaw has been found in SourceCodester Train Station Ticketing System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_user. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13347
Published : Nov. 18, 2025, 1:02 p.m. | 45 minutes ago
Description : A flaw has been found in SourceCodester Train Station Ticketing System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_user. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59110 - Cross-Site Request Forgery in Windu CMS
CVE ID : CVE-2025-59110
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59110
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59112 - Cross-Site Request Forgery in Windu CMS
CVE ID : CVE-2025-59112
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59112
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59113 - Bruteforce Protection Bypass in Windu CMS
CVE ID : CVE-2025-59113
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59113
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59114 - Cross-Site Request Forgery in Windu CMS
CVE ID : CVE-2025-59114
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59114
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59115 - Stored XSS in Windu CMS
CVE ID : CVE-2025-59115
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59115
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59117 - Multiple Stored XSS in Windu CMS
CVE ID : CVE-2025-59117
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59117
Published : Nov. 18, 2025, 1:26 p.m. | 20 minutes ago
Description : Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...