CVE-2025-41039

Name of the Vulnerable Software and Affected Versions appRain CMF version 4.0.5

Description A stored authenticated cross-site scripting (XSS) issue exists due to insufficient validation of user-supplied input. The vulnerability is present in the following parameters within the /apprain/admin/config/opts endpoint: data[sconfig][admin landing page], data[sconfig][currency], data[sconfig][db version], data[sconfig][default pagination], data[sconfig][emailsetup from email], data[sconfig][emailsetup host], data[sconfig][emailsetup password], data[sconfig][emailsetup port], data[sconfig][emailsetup username], data[sconfig][fileresource id], data[sconfig][large image height], data[sconfig][large image width], and data[sconfig][time zone padding].

Recommendations For appRain CMF version 4.0.5, implement robust input validation and sanitization for all user-supplied data, especially within the specified parameters of the /apprain/admin/config/opts endpoint.