MEDIUMCVE-2025-59114

CVE-2025-59114: CSRF in Windu CMS File Upload

Platform

php

Component

windu-cms

Fixed in

4.1.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-59114 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Windu CMS. This flaw allows an attacker to trick a user into unknowingly uploading malicious files to the server. The vulnerability impacts versions 0.0 through 4.1, and a patch is available in version 4.1 build 2250.

Impact and Attack Scenarios

An attacker can exploit this CSRF vulnerability by crafting a malicious website. When a logged-in user of Windu CMS visits this website, the attacker can trigger an unauthorized file upload to the server. This could lead to the execution of arbitrary code, defacement of the website, or the compromise of sensitive data stored on the server. The potential damage is significant, as an attacker could gain complete control over the affected system. Successful exploitation hinges on the victim being authenticated within the Windu CMS application.

Exploitation Context

CVE-2025-59114 was publicly disclosed on 2025-11-18. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on CISA KEV. Exploitation probability is considered low due to the lack of publicly available exploits.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

Affected Software

Componentwindu-cms

VendorJCD

Affected rangeFixed in

0.0.0 – 4.1.04.1.1

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2025-09-09
Published2025-11-18
Modified2025-12-05
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-59114 is to upgrade Windu CMS to version 4.1 build 2250. If upgrading is not immediately feasible, consider implementing CSRF protection mechanisms at the application level, such as adding CSRF tokens to file upload forms. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of defense. Review and restrict file upload permissions to minimize the impact of a successful attack.

How to fix

Update Windu CMS to version 4.1 build 2250 or later. This update corrects the Cross-Site Request Forgery (CSRF) vulnerability in the file uploading functionality. The update can be performed through the CMS administration panel or by downloading the latest version from the official website.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-59114 — CSRF in Windu CMS?

CVE-2025-59114 is a Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS, allowing attackers to upload malicious files without user consent.

Am I affected by CVE-2025-59114 in Windu CMS?

You are affected if you are using Windu CMS versions 0.0 through 4.1. Version 4.1 build 2250 is not affected.

How do I fix CVE-2025-59114 in Windu CMS?

Upgrade Windu CMS to version 4.1 build 2250. Implement CSRF protection measures if immediate upgrade is not possible.

Is CVE-2025-59114 being actively exploited?

There are currently no confirmed reports of active exploitation, but the lack of a public PoC does not guarantee safety.

Where can I find the official Windu CMS advisory for CVE-2025-59114?

Refer to the Windu CMS official website or security advisories for the latest information and updates regarding CVE-2025-59114.