Skip to main content

Willow CMS CVE-2025-12331

LOW
Improper Access Control (CWE-284)
2025-10-27 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:36 vuln.today

DescriptionCVE.org

A weakness has been identified in Willow CMS up to 1.4.0. Impacted is an unknown function of the file /admin/images/add. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.

AnalysisAI

Willow CMS up to version 1.4.0 allows high-privilege authenticated users to upload arbitrary files via an unrestricted file upload vulnerability in the /admin/images/add endpoint. The CVSS 2.0 score reflects the requirement for high-privilege authentication (PR:H), but public exploit code availability combined with low EPSS (0.05th percentile) suggests this is primarily exploitable only by compromised or malicious administrators rather than remote unauthenticated attackers.

Technical ContextAI

The vulnerability exists in the /admin/images/add administrative endpoint, classified under CWE-284 (Improper Access Control). The file upload functionality lacks proper validation and restrictions on uploaded file types or content, allowing authenticated users with high privileges to upload arbitrary files to the server. This is a server-side upload validation weakness rather than a client-side bypass. The affected product is Willow CMS, an open-source content management system maintained by matthewdeaves, which may be used in self-hosted deployments where administrative access control is misconfigured or insider threats exist.

RemediationAI

Upgrade Willow CMS to a version newer than 1.4.0 if a patch has been released; verify the latest release at https://github.com/matthewdeaves/willow. If no patched version is available, implement compensating controls: restrict administrative access to a small number of trusted users and IP addresses via firewall or reverse proxy rules, enforce multi-factor authentication for administrative login to prevent credential compromise, disable or restrict the /admin/images/add endpoint if image uploads are not required, and conduct a security audit of admin account access logs to detect unauthorized uploads. These controls mitigate the attack by preventing unauthorized or compromised administrators from exploiting the vulnerability.

Share

CVE-2025-12331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy