How to fix CVE-2025-69437?

Within 24 hours: Disable PDF upload functionality in PublicCMS or restrict uploads to administrators only. Within 7 days: Audit all previously uploaded PDFs for suspicious content; review access logs for exploitation attempts. Within 30 days: Implement a content security policy (CSP) to mitigate XSS impact; evaluate alternative file upload solutions or upgrade PublicCMS once a patch is available; conduct security awareness training on file upload risks.

Is Java affected by CVE-2025-69437?

PublicCMS versions 5.202506.d and earlier contain a stored cross-site scripting (XSS) vulnerability in PDF upload functionality that allows attackers to inject malicious JavaScript.

CVE-2025-69437

HIGH

2026-02-27 [email protected]

8.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 05, 2026 - 02:09 vuln.today

Public exploit code

CVE Published

Feb 27, 2026 - 17:16 nvd

HIGH 8.7

Description

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.

Analysis

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]

Technical Context

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Publiccms. PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/

Affected Products

Vendor: Publiccms. Product: Publiccms.

Remediation

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: +20

CVE-2025-69437 vulnerability details – vuln.today

Back

CVE-2025-69437

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-69437

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code