CVE-2025-65956

Exploit

EPSS 0.04%
Veröffentlicht 25.11.2025 23:20:23
Zuletzt bearbeitet 03.12.2025 20:30:01
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Formwork Project ≫ Formwork Version < 2.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.104

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.5	2.3	3.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj

Third Party Advisory

Exploit

https://github.com/getformwork/formwork/pull/791

Patch

Issue Tracking

https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-65956

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-65956

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-65956

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-65956