Description

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.

INFO

Published Date :

2026-02-27T00:00:00.000Z

Last Modified :

2026-02-27T19:47:56.667Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-69437 vulnerability.

Vendors Products
Publiccms
  • Publiccms
Sanluan
  • Publiccms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-69437.

URL Resource
https://github.com/sanluan/PublicCMS/issues/103 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact