CVE-2025-61681

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions KUNO CMS versions prior to 1.3.14

Description KUNO CMS, a full-stack blog application, has flaws in its file upload functionality. The upload process only validates file types based on Content-Type headers and does not analyze file content or enforce extension whitelists. This allows attackers to upload SVG files containing malicious scripts, disguised as images. When users access the pages displaying these uploaded resources, arbitrary JavaScript executes in their browsers. The affected API endpoint is the file upload functionality. The vulnerable parameter is the file itself.

Recommendations Update KUNO CMS to version 1.3.14 or later.

Exploit

Fix

XSS

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-434

Related Identifiers

CVE-2025-61681

GHSA-Q3W2-2VQP-GX3R

Affected Products

Kuno Cms

CVE-2025-61681

Weakness Enumeration

Related Identifiers

Affected Products

References · 10