CVE-2025-62369 HIGH

CVE-2025-62369: Xibo CMS: Remote Code Execution through module templates

Vendor Xibosignage
Product xibo-cms
Weakness CWE-94 · Code injection
Published November 4, 2025
Last update November 5, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.

Key dates

02Disclosure timeline

November 4, 2025 CVE published
November 5, 2025 Record updated