Willow CMS
CVE-2025-12331
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in Willow CMS up to 1.4.0. Impacted is an unknown function of the file /admin/images/add. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
AnalysisAI
Willow CMS up to version 1.4.0 allows high-privilege authenticated users to upload arbitrary files via an unrestricted file upload vulnerability in the /admin/images/add endpoint. The CVSS 2.0 score reflects the requirement for high-privilege authentication (PR:H), but public exploit code availability combined with low EPSS (0.05th percentile) suggests this is primarily exploitable only by compromised or malicious administrators rather than remote unauthenticated attackers.
Technical ContextAI
The vulnerability exists in the /admin/images/add administrative endpoint, classified under CWE-284 (Improper Access Control). The file upload functionality lacks proper validation and restrictions on uploaded file types or content, allowing authenticated users with high privileges to upload arbitrary files to the server. This is a server-side upload validation weakness rather than a client-side bypass. The affected product is Willow CMS, an open-source content management system maintained by matthewdeaves, which may be used in self-hosted deployments where administrative access control is misconfigured or insider threats exist.
RemediationAI
Upgrade Willow CMS to a version newer than 1.4.0 if a patch has been released; verify the latest release at https://github.com/matthewdeaves/willow. If no patched version is available, implement compensating controls: restrict administrative access to a small number of trusted users and IP addresses via firewall or reverse proxy rules, enforce multi-factor authentication for administrative login to prevent credential compromise, disable or restrict the /admin/images/add endpoint if image uploads are not required, and conduct a security audit of admin account access logs to detect unauthorized uploads. These controls mitigate the attack by preventing unauthorized or compromised administrators from exploiting the vulnerability.
More in Willow Cms
View allSame weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today