CVE-2025-59111 MEDIUM

CVE-2025-59111: Broken Access Control in Windu CMS

Vendor Jcd

Product Windu CMS

Weakness CWE-863 · Incorrect authorization

Published November 18, 2025

Last update December 5, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

Key dates

02Disclosure timeline

November 18, 2025 CVE published

December 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59111 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2024-2698 Freeipa: delegation rules allow a proxy service to impersonate any user to access another target service CVE-2025-3227 Unauthorized channel member management through playbook runs CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` CVE-2026-3526 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021 CVE-2026-35490 changedetection.io has an Authentication Bypass via Decorator Ordering