CVE-2025-41059

Name of the Vulnerable Software and Affected Versions appRain CMF version 4.0.5

Description A stored authenticated cross-site scripting (XSS) issue exists due to insufficient validation of user-supplied data. The vulnerability is triggered through the data[Addon][layouts] and data[Addon][layouts except] parameters in the /apprain/developer/addons/update/tablesorter API endpoint.

Recommendations Ensure proper validation and sanitization of user input for the data[Addon][layouts] and data[Addon][layouts except] parameters. As a temporary workaround, restrict access to the /apprain/developer/addons/update/tablesorter API endpoint.