What is the CVSS score of CVE-2025-69437?

CVE-2025-69437 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Java are affected by CVE-2025-69437?

PublicCMS versions 5.202506.d and earlier contain a stored cross-site scripting (XSS) vulnerability in PDF upload functionality that allows attackers to inject malicious JavaScript.

Is there a public PoC exploit available for CVE-2025-69437?

Yes, a public proof-of-concept exploit is available for CVE-2025-69437. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-69437?

Within 24 hours: Disable PDF upload functionality in PublicCMS or restrict uploads to administrators only. Within 7 days: Audit all previously uploaded PDFs for suspicious content; review access logs for exploitation attempts. Within 30 days: Implement a content security policy (CSP) to mitigate XSS impact; evaluate alternative file upload solutions or upgrade PublicCMS once a patch is available; conduct security awareness training on file upload risks.

Java CVE-2025-69437

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-27 cve@mitre.org

Java Publiccms XSS

8.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 05, 2026 - 02:09 vuln.today

Public exploit code

CVE Published

Feb 27, 2026 - 17:16 nvd

HIGH 8.7

DescriptionCVE.org

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.

AnalysisAI

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Publiccms. PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2025-69437 vulnerability details – vuln.today

Back