CVE-2025-65956

Published: Nov 26, 2025Modified: Dec 3, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

Affected (1)

Products: Formwork Project: Formwork

Formwork Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Formwork Project Formwork	Before 2.2.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2

Source: security-advisories@github.com

Patch

https://github.com/getformwork/formwork/pull/791

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.