CVE-2025-59113 MEDIUM

CVE-2025-59113: Bruteforce Protection Bypass in Windu CMS

Vendor Jcd
Product Windu CMS
Weakness CWE-307 · Brute force
Published November 18, 2025
Last update December 5, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
December 5, 2025 Record updated