CVE-2025-41040

Name of the Vulnerable Software and Affected Versions appRain CMF version 4.0.5

Description A stored authenticated cross-site scripting (XSS) issue exists due to insufficient validation of user-supplied data. The vulnerability is present in the /apprain/developer/language/lipsum.xml endpoint through the data[code], data[lang][0][key], data[lang][0][value], data[lang][1][key], and data[title] parameters.

Recommendations Update appRain CMF to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the /apprain/developer/language/lipsum.xml endpoint. Sanitize the data[code], data[lang][0][key], data[lang][0][value], data[lang][1][key], and data[title] parameters before processing them.