汇总 windu 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 CSRF与跨站脚本,在 软件部署与生产负载 使用场景中可能带来 会话劫持 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-59117 | Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 4.8 | 0.16% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59116 | Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 6.9 | 0.21% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59115 | Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 5.3 | 0.14% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59114 | Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 5.1 | 0.12% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59113 | Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 6.9 | 0.23% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59112 | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 5.1 | 0.12% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59111 | Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 6.9 | 0.26% | 2025-11-18 | 2026-06-17 |
| CVE-2025-59110 | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | [email protected] | 6.8 | 0.15% | 2025-11-18 | 2026-06-17 |
| CVE-2013-7474 | Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users. | [email protected] | 6.1 | 0.83% | 2019-08-01 | 2026-06-16 |
| CVE-2013-7473 | Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account. | [email protected] | 8.8 | 0.61% | 2019-08-01 | 2026-06-16 |