windu CVE Vulnerabilities & Metrics

Focus on windu vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About windu Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with windu. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total windu CVEs: 10
Earliest CVE date: 01 Aug 2019, 15:15 UTC
Latest CVE date: 18 Nov 2025, 15:16 UTC

Latest CVE reference: CVE-2025-59117

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 8

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical windu CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.11

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	8
4.0-6.9	2
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS windu CVEs

These are the five CVEs with the highest CVSS scores for windu, sorted by severity first and recency.

CVE-2013-7473 windu Published on 01 Aug 2019, 15:15 UTC (CVSS: 6.8)
Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.
CVE-2013-7474 windu Published on 01 Aug 2019, 15:15 UTC (CVSS: 4.3)
Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users.
CVE-2025-59117 windu Published on 18 Nov 2025, 15:16 UTC (CVSS: 0)
Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.
CVE-2025-59116 windu Published on 18 Nov 2025, 15:16 UTC (CVSS: 0)
Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.
CVE-2025-59115 windu Published on 18 Nov 2025, 15:16 UTC (CVSS: 0)
Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

All CVEs for windu

CVE-2025-59117 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59116 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59115 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59114 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59113 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59112 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59111 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2025-59110 windu vulnerability CVSS: 0 18 Nov 2025, 15:16 UTC

Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVE-2013-7474 windu vulnerability CVSS: 4.3 01 Aug 2019, 15:15 UTC

Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users.

CVE-2013-7473 windu vulnerability CVSS: 6.8 01 Aug 2019, 15:15 UTC

Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.