CVE-2025-69437

Name of the Vulnerable Software and Affected Versions PublicCMS versions prior to 5.202506.d

Description The software contains a stored cross-site scripting (XSS) issue. Uploaded PDF files can include JavaScript payloads that bypass security checks within the backend CmsFileUtils.java. When a user views a malicious PDF uploaded to the system, the embedded JavaScript can execute, potentially leading to credential theft and arbitrary API execution. The file upload endpoints affected include /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, and /cmsWebFile/doUpload.

Recommendations Update to a version newer than 5.202506.d.