CVE-2025-69437

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69437

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69437.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69437

Published

2026-02-27T17:16:26.007Z

Modified

2026-04-10T05:35:21.163290Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.

References

https://github.com/sanluan/PublicCMS/issues/103

Affected packages

Git / github.com/sanluan/publiccms

Affected ranges

Type

GIT

Repo

https://github.com/sanluan/publiccms

Events

Introduced

Last affected

59479f0374d48903f5678280c7ae4a46f5e94f8d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.202506.d"
        }
    ]
}

Affected versions

Other

V2016

V4.*

V4.0.180707

V4.0.181024

V4.0.190312

V4.0.202004

V4.0.202107

V5.*

V5.202302.a

V5.202302.b

V5.202302.c

V5.202302.d

V5.202302.e

V5.202302.f

V5.202406.a

V5.202406.b

V5.202406.c

V5.202406.d

V5.202406.e

V5.202506.a

V5.202506.b

V5.202506.c

V5.202506.d

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69437.json"