Stored XSS Vulnerability in KUNO CMS Blog Application
CVE-2025-61681

5.4MEDIUM

Key Information:

Vendor

Xuemian168

Status
Kuno
Vendor
CVE Published:
3 October 2025

What is CVE-2025-61681?

KUNO CMS, a full-stack blog application, suffers from vulnerabilities related to improper validation in its file upload functionality. Versions up to 1.3.13 are particularly at risk, as they allow malicious SVG files to be uploaded disguised as images. The system only verifies file types using Content-Type headers and does not perform thorough file content analysis or implement an extension whitelist, paving the way for attacks. When users access resources linked to these uploads, harmful JavaScript executes in their browsers, leading to potential data breaches and security risks. To mitigate this issue, users are advised to upgrade to version 1.3.14, where the vulnerability has been addressed.

Affected Version(s)

kuno < 1.3.14

References

https://github.com/xuemian168/kuno/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/xuemian168/kuno/commit/fc486b5c9091b60...
x_refsource_MISC
https://github.com/xuemian168/kuno/releases/tag/v1.3.14
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61681 : Stored XSS Vulnerability in KUNO CMS Blog Application