CVE-2025-61681 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting versions 1.3.13 and below of the KUNO CMS, a full-stack blog application developed by xuemian168. The vulnerability arises from improper input validation in the file upload functionality. Specifically, the upload endpoint only validates the file type based on the Content-Type HTTP header, without performing any file content inspection or enforcing an extension whitelist. This allows attackers to upload SVG files containing embedded malicious JavaScript code disguised as images. When a user accesses a page displaying the uploaded SVG resource, the malicious script executes in the user's browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue was publicly disclosed on October 3, 2025, and fixed in version 1.3.14 of KUNO CMS. The CVSS v3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact primarily affects confidentiality and integrity of user data, with no direct impact on availability. No known exploits have been reported in the wild to date.

For European organizations using KUNO CMS versions prior to 1.3.14, this vulnerability poses a risk of client-side code execution leading to potential theft of user credentials, session tokens, or other sensitive information. This can facilitate further attacks such as account takeover or unauthorized actions within the CMS or connected systems. Since KUNO CMS is a blogging platform, organizations relying on it for public-facing content may suffer reputational damage if attackers inject malicious scripts that affect visitors. The vulnerability could also be leveraged to distribute malware or conduct phishing campaigns targeting European users. Given the medium CVSS score and the requirement for user interaction (visiting a maliciously crafted page), the risk is moderate but non-negligible. Organizations with high traffic or sensitive user bases should prioritize remediation to prevent exploitation. The lack of file content validation and reliance on Content-Type headers is a common security oversight that can be exploited in similar CMS or web applications, highlighting the importance of robust input validation controls.

1. Upgrade KUNO CMS to version 1.3.14 or later, where this vulnerability is patched. 2. Implement strict server-side validation of uploaded files beyond Content-Type headers, including: - Enforce a whitelist of allowed file extensions (e.g., restrict to safe image formats like PNG, JPEG). - Perform content inspection to verify that uploaded files conform to expected formats and do not contain embedded scripts. 3. Sanitize and encode all user-generated content before rendering it in web pages to prevent script execution. 4. Apply Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of untrusted resources. 5. Monitor upload endpoints for anomalous activity and implement rate limiting to reduce attack surface. 6. Educate users and administrators about the risks of clicking on untrusted links or accessing suspicious content. 7. Regularly audit and test web applications for similar input validation weaknesses, especially in file upload functionality.