CVE-2025-69437
Published: 27 February 2026
Summary
CVE-2025-69437 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Publiccms Publiccms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates uploaded PDF files to detect and reject those containing JavaScript payloads, directly addressing the bypass in CmsFileUtils.java.
Filters information output when viewing uploaded files to neutralize embedded JavaScript, preventing stored XSS execution.
Scans file uploads at entry points for malicious code such as JavaScript in PDFs across affected endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious PDF upload enables exploitation of public-facing web app (T1190) and browser session hijacking for credential theft/API abuse (T1185).
NVD Description
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views…
more
it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.
Deeper analysisAI
CVE-2025-69437 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting PublicCMS versions v5.202506.d and earlier. The flaw occurs in the backend CmsFileUtils.java component, where PDF security checks are bypassed, enabling uploaded PDF files to embed and retain JavaScript payloads. This issue impacts all file upload endpoints, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, and /cmsWebFile/doUpload.
An attacker with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) by uploading a malicious PDF containing a JavaScript payload through any affected endpoint. The attack requires low complexity (AC:L) and user interaction (UI:R) when a victim views the file, at which point the payload triggers. Successful exploitation results in a changed scope (S:C) with high confidentiality and integrity impacts (C:H/I:H), such as credential theft and arbitrary API execution, earning a CVSS v3.1 base score of 8.7.
The GitHub issue at https://github.com/sanluan/PublicCMS/issues/103 provides additional details on this vulnerability.
Details
- CWE(s)