Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
PublicCMS v5.202506.d and earlier allows malicious PDFs to steal user data
CVE-2025-69437
Summary
PublicCMS users are at risk if they upload a malicious PDF file to the system. This can lead to sensitive information being stolen or malicious code being executed. To avoid this, ensure that all users are using the latest version of PublicCMS and only upload files from trusted sources.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| publiccms | publiccms | <= 5.202506.d | – |
Original title
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF...
Original description
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/doUpload, /cmsTemplate/doUpload, /file/doBatchUpload, /cmsWebFile/doUpload, etc.
nvd CVSS3.1
8.7
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/sanluan/PublicCMS/issues/103 Exploit Issue Tracking Vendor Advisory
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026