W
indu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.
References
| Link | Resource |
|---|---|
| https://cert.pl/posts/2025/11/CVE-2025-59110 | Third Party Advisory |
| https://windu.org | Product |
Configurations
History
05 Dec 2025, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. |
20 Nov 2025, 15:36
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:* | |
| First Time |
Windu
Windu windu Cms |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://cert.pl/posts/2025/11/CVE-2025-59110 - Third Party Advisory | |
| References | () https://windu.org - Product |
18 Nov 2025, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-18 15:16
Updated : 2025-12-05 13:16
NVD link : CVE-2025-59112
Mitre link : CVE-2025-59112
CVE.ORG link : CVE-2025-59112
JSON object : View
CWE
CWE-352
Cross-Site Request Forgery (CSRF)