Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account.
Only version 4.1 was tested and confirmed as vulnerable.
This issue was fixed in version 4.1 build 2250.
References
| Link | Resource |
|---|---|
| https://cert.pl/posts/2025/11/CVE-2025-59110 | Third Party Advisory |
| https://windu.org/ | Product |
Configurations
History
05 Dec 2025, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. |
20 Nov 2025, 15:46
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://cert.pl/posts/2025/11/CVE-2025-59110 - Third Party Advisory | |
| References | () https://windu.org/ - Product | |
| First Time |
Windu
Windu windu Cms |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| CPE | cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:* |
18 Nov 2025, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-18 15:16
Updated : 2025-12-05 13:16
NVD link : CVE-2025-59110
Mitre link : CVE-2025-59110
CVE.ORG link : CVE-2025-59110
JSON object : View
Products Affected
windu
- windu_cms
CWE
CWE-352
Cross-Site Request Forgery (CSRF)