Vulnerabilites related to verbb - formie
CVE-2025-32426 (GCVE-0-2025-32426)
Vulnerability from cvelistv5
Published
2025-04-11 13:42
Modified
2025-04-11 14:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T14:16:09.287068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T14:16:53.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "formie",
"vendor": "verbb",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.44"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form\u0027s email notification settings. This has been fixed in Formie 2.1.44."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T13:42:21.972Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww"
}
],
"source": {
"advisory": "GHSA-2xm2-23ff-p8ww",
"discovery": "UNKNOWN"
},
"title": "Formie has a XSS vulnerability for email notification content for preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32426",
"datePublished": "2025-04-11T13:42:21.972Z",
"dateReserved": "2025-04-08T10:54:58.367Z",
"dateUpdated": "2025-04-11T14:16:53.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32427 (GCVE-0-2025-32427)
Vulnerability from cvelistv5
Published
2025-04-11 13:42
Modified
2025-04-11 14:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. This vulnerability is fixed in 2.1.44.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T14:47:43.595254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T14:48:00.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "formie",
"vendor": "verbb",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.44"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn\u0027t correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. This vulnerability is fixed in 2.1.44."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T13:42:13.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3"
}
],
"source": {
"advisory": "GHSA-p9hh-mh5x-wvx3",
"discovery": "UNKNOWN"
},
"title": "Formie has a XSS vulnerability for importing forms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32427",
"datePublished": "2025-04-11T13:42:13.854Z",
"dateReserved": "2025-04-08T10:54:58.367Z",
"dateUpdated": "2025-04-11T14:48:00.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35191 (GCVE-0-2024-35191)
Vulnerability from cvelistv5
Published
2024-05-20 20:26
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Summary
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 | x_refsource_CONFIRM | |
| https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:verbb:formie:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "formie",
"vendor": "verbb",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:44:43.052581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:18:34.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"name": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "formie",
"vendor": "verbb",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form\u0027s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-20T20:26:24.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"name": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
}
],
"source": {
"advisory": "GHSA-v45m-hxqp-fwf5",
"discovery": "UNKNOWN"
},
"title": "verbb/formie Server-Side Template Injection for variable-enabled settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35191",
"datePublished": "2024-05-20T20:26:24.492Z",
"dateReserved": "2024-05-10T14:24:24.341Z",
"dateUpdated": "2024-08-02T03:07:46.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2025-04-11 14:15
Modified
2025-09-29 14:39
Severity ?
Summary
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. This vulnerability is fixed in 2.1.44.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "C0F1ED41-D4CA-4683-864D-35E0F80CD6B8",
"versionEndExcluding": "2.1.44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn\u0027t correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. This vulnerability is fixed in 2.1.44."
},
{
"lang": "es",
"value": "Formie es un complemento Craft CMS para crear formularios. Antes de 2.1.44, al importar un formulario de JSON, si la etiqueta o el mango de campo conten\u00eda contenido malicioso, la salida no se escap\u00f3 correctamente al ver una vista previa de lo que se importar\u00eda. Como las importaciones son emprendidas principalmente por usuarios que han exportado el formulario de un entorno a otro, y requerir\u00edan la manipulaci\u00f3n directa de la exportaci\u00f3n JSON, esto se marca como moderado. Esta vulnerabilidad no ocurrir\u00e1 a menos que alguien manifeste deliberadamente con la exportaci\u00f3n. Esta vulnerabilidad se fija en 2.1.44."
}
],
"id": "CVE-2025-32427",
"lastModified": "2025-09-29T14:39:45.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-11T14:15:25.457",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-11 14:15
Modified
2025-09-29 14:39
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "C0F1ED41-D4CA-4683-864D-35E0F80CD6B8",
"versionEndExcluding": "2.1.44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form\u0027s email notification settings. This has been fixed in Formie 2.1.44."
},
{
"lang": "es",
"value": "Formie es un complemento Craft CMS para crear formularios. Antes de la versi\u00f3n 2.1.44, es posible inyectar c\u00f3digo malicioso en el contenido HTML de una notificaci\u00f3n por correo electr\u00f3nico, que luego se representa en la vista previa. No hay ning\u00fan problema al realizar el correo electr\u00f3nico por medios normales (un correo electr\u00f3nico entregado). Esto requerir\u00eda acceso a la configuraci\u00f3n de notificaci\u00f3n de correo electr\u00f3nico del formulario. Esto se ha solucionado en Formie 2.1.44."
}
],
"id": "CVE-2025-32426",
"lastModified": "2025-09-29T14:39:37.690",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-04-11T14:15:25.320",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-20 21:15
Modified
2025-09-29 14:16
Severity ?
Summary
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "F5C5A1E9-35C3-45C5-B2F6-D20691BF7678",
"versionEndExcluding": "2.0.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "FC24BB4B-1EEE-497E-9D68-A2FC9C75D37C",
"versionEndExcluding": "2.1.6",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form\u0027s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6."
},
{
"lang": "es",
"value": "Formie es un complemento de Craft CMS para crear formularios. Antes de 2.1.6, los usuarios con acceso a la configuraci\u00f3n de un formulario pod\u00edan incluir c\u00f3digo Twig malicioso en campos compatibles con Twig. Estos podr\u00edan ser el t\u00edtulo del env\u00edo o el mensaje de \u00e9xito. Este c\u00f3digo luego se ejecutar\u00e1 al crear un env\u00edo o al representar el texto. Esto se ha solucionado en Formie 2.1.6."
}
],
"id": "CVE-2024-35191",
"lastModified": "2025-09-29T14:16:26.123",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-05-20T21:15:09.307",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}