CVE-2025-69437 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: February 27, 2026
PublicCMS - Stored XSS
Published: February 27, 2026Updated: February 27, 2026Remote Exploitable
Overview
PublicCMS v5.202506.d and earlier contains a stored XSS caused by JavaScript payloads embedded in uploaded PDFs bypassing backend PDF security checks in CmsFileUtils.java, letting attackers execute arbitrary scripts when users view the files, exploit requires user to upload and view malicious PDF.
Severity & Score
Severity: High
CVSS Score: 8.7
Impact
Attackers can execute arbitrary scripts via malicious PDFs, leading to credential theft and unauthorized API actions.
Mitigation
Update to the latest version beyond v5.202506.d.
Related Resources
Details
- CVE ID
- CVE-2025-69437
- Severity
- High
- CVSS Score
- 8.7
- Type
- stored_xss
- Status
- new
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N