CVE-2025-59113

HIGH

Windu Cms - Brute Force

Title source: rule

Description

Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

References (2)

[Product] https://windu.org

[Third Party Advisory] https://cert.pl/posts/2025/11/CVE-2025-59110

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 11.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (1)

windu/windu_cms 4.1

Published Nov 18, 2025

Tracked Since Feb 18, 2026