CVE-2025-8116 – PAD CMS is vulnerable to reflected cross-site s... (How to Fix)

Q: What is the severity of CVE-2025-8116?

CVE-2025-8116 has a CVSS score of 6.1 (MEDIUM). PAD CMS is vulnerable to reflected cross-site scripting (XSS) in printing and PDF save functionality. Attackers can craft malicious URLs that execute arbitrary JavaScript in victims' browsers when opened. This affects all PAD CMS installations using www, bip, or www+bip templates.

📋 TL;DR

PAD CMS is vulnerable to reflected cross-site scripting (XSS) in printing and PDF save functionality. Attackers can craft malicious URLs that execute arbitrary JavaScript in victims' browsers when opened. This affects all PAD CMS installations using www, bip, or www+bip templates.

💻 Affected Systems

Products:

PAD CMS

Versions: All versions (product is End-Of-Life)

Operating Systems: Any OS running PAD CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all 3 templates: www, bip, and www+bip. Product is End-Of-Life with no official patches available.

📦 What is this software?

Pad Cms by Widzialni

View all CVEs affecting Pad Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deliver malware through the victim's browser.

🟠

Likely Case

Attackers would use phishing to trick users into clicking malicious links, leading to session hijacking or credential theft from authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be neutralized before reaching the browser.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) but no authentication. Attack complexity is low as it's a standard reflected XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available as product is End-Of-Life. Vendor will not publish fixes.

🔧 Temporary Workarounds

Implement WAF with XSS protection

all

Deploy a web application firewall that can detect and block XSS payloads in URLs

Disable affected functionality

all

Remove or disable printing and PDF save features if not essential

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Deploy network segmentation to isolate PAD CMS from critical systems

🔍 How to Verify

Check if Vulnerable:

Test by injecting basic XSS payloads into printing/PDF save parameters and checking if they execute in browser

Check Version:

Check PAD CMS version in admin panel or configuration files

Verify Fix Applied:

Verify that injected scripts are properly encoded or blocked when testing the same payloads

📡 Detection & Monitoring

Log Indicators:

Unusual URL parameters containing script tags or JavaScript in printing/PDF requests
Multiple failed attempts with suspicious parameter values

Network Indicators:

HTTP requests with suspicious characters (<, >, script, javascript) in URL parameters
Outbound connections to unexpected domains following PDF/print requests

SIEM Query:

source="web_logs" AND (url="*print*" OR url="*pdf*") AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")

📊 Metadata

CVE ID: CVE-2025-8116

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.4th percentile)

Published: September 30, 2025

Last Updated: November 26, 2025

🔗 References

https://cert.pl/posts/2025/09/CVE-2025-7063 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8116, you might also want to check these: