Skip to main content

Willow Cms

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2025-12331 LOW POC Monitor

Willow CMS up to version 1.4.0 allows high-privilege authenticated users to upload arbitrary files via an unrestricted file upload vulnerability in the /admin/images/add endpoint. The CVSS 2.0 score reflects the requirement for high-privilege authentication (PR:H), but public exploit code availability combined with low EPSS (0.05th percentile) suggests this is primarily exploitable only by compromised or malicious administrators rather than remote unauthenticated attackers.

Authentication Bypass File Upload Willow Cms
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12330 LOW POC Monitor

Stored cross-site scripting (XSS) in Willow CMS up to version 1.4.0 allows authenticated administrative users to inject malicious scripts via the title or body parameters in the Add Post Page (/admin/articles/add), which are then executed in the browsers of other users who view the post. The vulnerability requires high-privilege authentication and user interaction (visiting the affected page) to trigger, resulting in limited integrity impact. Public exploit code is available, though EPSS analysis indicates minimal real-world exploitation probability at 0.03%.

XSS Willow Cms
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12331
EPSS 0% CVSS 2.0
LOW POC Monitor

Willow CMS up to version 1.4.0 allows high-privilege authenticated users to upload arbitrary files via an unrestricted file upload vulnerability in the /admin/images/add endpoint. The CVSS 2.0 score reflects the requirement for high-privilege authentication (PR:H), but public exploit code availability combined with low EPSS (0.05th percentile) suggests this is primarily exploitable only by compromised or malicious administrators rather than remote unauthenticated attackers.

Authentication Bypass File Upload Willow Cms
NVD GitHub VulDB
CVE-2025-12330
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in Willow CMS up to version 1.4.0 allows authenticated administrative users to inject malicious scripts via the title or body parameters in the Add Post Page (/admin/articles/add), which are then executed in the browsers of other users who view the post. The vulnerability requires high-privilege authentication and user interaction (visiting the affected page) to trigger, resulting in limited integrity impact. Public exploit code is available, though EPSS analysis indicates minimal real-world exploitation probability at 0.03%.

XSS Willow Cms
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy