Cyber Resilience

CVE-2025-69437

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0034 26.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69437 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Publiccms Publiccms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-69437 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting PublicCMS versions v5.202506.d and earlier. The flaw occurs in the backend CmsFileUtils.java component, where PDF security checks are bypassed, enabling uploaded PDF files to embed and retain JavaScript payloads. This issue impacts all file upload endpoints, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, and /cmsWebFile/doUpload.

An attacker with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) by uploading a malicious PDF containing a JavaScript payload through any affected endpoint. The attack requires low complexity (AC:L) and user interaction (UI:R) when a victim views the file, at which point the payload triggers. Successful exploitation results in a changed scope (S:C) with high confidentiality and integrity impacts (C:H/I:H), such as credential theft and arbitrary API execution, earning a CVSS v3.1 base score of 8.7.

The GitHub issue at https://github.com/sanluan/PublicCMS/issues/103 provides additional details on this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views…

more

it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS via malicious PDF upload enables exploitation of public-facing web app (T1190) and browser session hijacking for credential theft/API abuse (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1112Same product: Publiccms Publiccms
CVE-2025-57516Same product: Publiccms Publiccms
CVE-2025-25361Same product: Publiccms Publiccms
CVE-2026-3289Same product: Publiccms Publiccms
CVE-2026-1111Same product: Publiccms Publiccms
CVE-2025-22320Shared CWE-79
CVE-2015-20118Shared CWE-79
CVE-2025-23846Shared CWE-79
CVE-2026-2936Shared CWE-79
CVE-2025-24620Shared CWE-79

Affected Assets

publiccms
publiccms
≤ 5.202506.d

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates uploaded PDF files to detect and reject those containing JavaScript payloads, directly addressing the bypass in CmsFileUtils.java.

prevent

Filters information output when viewing uploaded files to neutralize embedded JavaScript, preventing stored XSS execution.

prevent

Scans file uploads at entry points for malicious code such as JavaScript in PDFs across affected endpoints.

References