CVE-2025-25772

Name of the Vulnerable Software and Affected Versions Jspxcms versions 9.0 through 9.5

Description A Cross-Site Request Forgery (CSRF) issue in the /back/UserController.java component allows attackers to arbitrarily add Administrator accounts via a crafted request. This enables attackers to create admin accounts without proper authorization.

Recommendations For Jspxcms versions 9.0 through 9.5, as a temporary workaround, consider disabling the UserController.java component until a patch is available. Restrict access to the /back/UserController.java endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.