Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user.
Only version 4.1 was tested and confirmed as vulnerable.
This issue was fixed in version 4.1 build 2250.
References
| Link | Resource |
|---|---|
| https://cert.pl/posts/2025/11/CVE-2025-59110 | Third Party Advisory |
| https://windu.org | Product |
Configurations
History
05 Dec 2025, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. |
20 Nov 2025, 15:36
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://cert.pl/posts/2025/11/CVE-2025-59110 - Third Party Advisory | |
| References | () https://windu.org - Product | |
| CPE | cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| First Time |
Windu
Windu windu Cms |
18 Nov 2025, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-18 15:16
Updated : 2025-12-05 13:16
NVD link : CVE-2025-59112
Mitre link : CVE-2025-59112
CVE.ORG link : CVE-2025-59112
JSON object : View
Products Affected
windu
- windu_cms
CWE
CWE-352
Cross-Site Request Forgery (CSRF)