CVE-2025-59113

Windu CMS implements weak client-side brute-force protection by using parameter loginError.Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter.

Only version 4.1 was tested and confirmed as vulnerable.
This issue was fixed in version 4.1 build 2250.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CERT-PLCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
winduwindu_cms
4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert.pl/posts/2025/11/CVE-2025-59110
https://windu.org