CVE-2025-65956

Опубликовано: 26 нояб. 2025

Источник: nvd

CVSS3: 6.5

CVSS3: 5.4

EPSS Низкий

Описание

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

Ссылки

https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2
Patch
https://github.com/getformwork/formwork/pull/791
Issue Tracking
Patch
https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj
Exploit
Third Party Advisory
https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*

Версия до 2.2.0 (исключая)

EPSS

Процентиль: 10%

0.00036

Низкий

6.5 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-7j46-f57w-76pj

CVSS3: 6.5

github

3 месяца назад

Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

EPSS

Процентиль: 10%

0.00036

Низкий

6.5 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79