CVE-2025-59114

18.11.2025, 15:16

Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CSRF

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
CERT-PL	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://cert.pl/posts/2025/11/CVE-2025-59110

https://windu.org