CVE-2025-59110

MEDIUM

Windu Cms - CSRF

Title source: rule

Description

Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

References (2)

[Third Party Advisory] https://cert.pl/posts/2025/11/CVE-2025-59110

[Product] https://windu.org/

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 4.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Classification

CWE

CWE-352

Status published

Affected Products (1)

windu/windu_cms

Timeline

Published Nov 18, 2025

Tracked Since Feb 18, 2026