Search criteria
6 vulnerabilities found for formwork by getformwork
CVE-2026-27198 (GCVE-0-2026-27198)
Vulnerability from nvd – Published: 2026-02-21 05:11 – Updated: 2026-02-21 05:11
VLAI?
Title
Formwork Improperly Manages Privileges During User Creation
Summary
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getformwork | formwork |
Affected:
>= 2.0.0, < 2.3.4
|
{
"containers": {
"cna": {
"affected": [
{
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T05:11:42.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2"
},
{
"name": "https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd"
},
{
"name": "https://github.com/getformwork/formwork/releases/tag/2.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/releases/tag/2.3.4"
}
],
"source": {
"advisory": "GHSA-34p4-7w83-35g2",
"discovery": "UNKNOWN"
},
"title": "Formwork Improperly Manages Privileges During User Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27198",
"datePublished": "2026-02-21T05:11:42.535Z",
"dateReserved": "2026-02-18T19:47:02.155Z",
"dateUpdated": "2026-02-21T05:11:42.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65956 (GCVE-0-2025-65956)
Vulnerability from nvd – Published: 2025-11-25 23:20 – Updated: 2025-11-26 16:11
VLAI?
Title
Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags
Summary
Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getformwork | formwork |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65956",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T16:10:59.673216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T16:11:03.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross\u2011site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker\u2011controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T23:20:23.965Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj"
},
{
"name": "https://github.com/getformwork/formwork/pull/791",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/pull/791"
},
{
"name": "https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2"
}
],
"source": {
"advisory": "GHSA-7j46-f57w-76pj",
"discovery": "UNKNOWN"
},
"title": "Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65956",
"datePublished": "2025-11-25T23:20:23.965Z",
"dateReserved": "2025-11-18T16:14:56.693Z",
"dateUpdated": "2025-11-26T16:11:03.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37160 (GCVE-0-2024-37160)
Vulnerability from nvd – Published: 2024-06-07 14:09 – Updated: 2024-08-02 03:50
VLAI?
Title
Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata
Summary
Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getformwork | formwork |
Affected:
< 1.13.1
Affected: = 2.0.0-beta.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:getformwork:formwork:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"lessThan": "1.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "affected",
"version": "2.0.0-beta.1"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T16:41:21.309222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T17:03:41.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"
},
{
"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"
},
{
"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.1"
},
{
"status": "affected",
"version": "= 2.0.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T14:09:55.132Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"
},
{
"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"
},
{
"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"
}
],
"source": {
"advisory": "GHSA-5pxr-7m4j-jjc6",
"discovery": "UNKNOWN"
},
"title": "Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37160",
"datePublished": "2024-06-07T14:09:55.132Z",
"dateReserved": "2024-06-03T17:29:38.329Z",
"dateUpdated": "2024-08-02T03:50:55.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-27198 (GCVE-0-2026-27198)
Vulnerability from cvelistv5 – Published: 2026-02-21 05:11 – Updated: 2026-02-21 05:11
VLAI?
Title
Formwork Improperly Manages Privileges During User Creation
Summary
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getformwork | formwork |
Affected:
>= 2.0.0, < 2.3.4
|
{
"containers": {
"cna": {
"affected": [
{
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T05:11:42.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2"
},
{
"name": "https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd"
},
{
"name": "https://github.com/getformwork/formwork/releases/tag/2.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/releases/tag/2.3.4"
}
],
"source": {
"advisory": "GHSA-34p4-7w83-35g2",
"discovery": "UNKNOWN"
},
"title": "Formwork Improperly Manages Privileges During User Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27198",
"datePublished": "2026-02-21T05:11:42.535Z",
"dateReserved": "2026-02-18T19:47:02.155Z",
"dateUpdated": "2026-02-21T05:11:42.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65956 (GCVE-0-2025-65956)
Vulnerability from cvelistv5 – Published: 2025-11-25 23:20 – Updated: 2025-11-26 16:11
VLAI?
Title
Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags
Summary
Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getformwork | formwork |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65956",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T16:10:59.673216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T16:11:03.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross\u2011site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker\u2011controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T23:20:23.965Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj"
},
{
"name": "https://github.com/getformwork/formwork/pull/791",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/pull/791"
},
{
"name": "https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2"
}
],
"source": {
"advisory": "GHSA-7j46-f57w-76pj",
"discovery": "UNKNOWN"
},
"title": "Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65956",
"datePublished": "2025-11-25T23:20:23.965Z",
"dateReserved": "2025-11-18T16:14:56.693Z",
"dateUpdated": "2025-11-26T16:11:03.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37160 (GCVE-0-2024-37160)
Vulnerability from cvelistv5 – Published: 2024-06-07 14:09 – Updated: 2024-08-02 03:50
VLAI?
Title
Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata
Summary
Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getformwork | formwork |
Affected:
< 1.13.1
Affected: = 2.0.0-beta.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:getformwork:formwork:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"lessThan": "1.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "affected",
"version": "2.0.0-beta.1"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T16:41:21.309222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T17:03:41.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"
},
{
"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"
},
{
"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "formwork",
"vendor": "getformwork",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.1"
},
{
"status": "affected",
"version": "= 2.0.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T14:09:55.132Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"
},
{
"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"
},
{
"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"
}
],
"source": {
"advisory": "GHSA-5pxr-7m4j-jjc6",
"discovery": "UNKNOWN"
},
"title": "Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37160",
"datePublished": "2024-06-07T14:09:55.132Z",
"dateReserved": "2024-06-03T17:29:38.329Z",
"dateUpdated": "2024-08-02T03:50:55.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}