GHSA-7J46-F57W-76PJ

Vulnerability from github – Published: 2025-11-24 22:13 – Updated: 2026-02-18 23:48
VLAI?
Summary
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
Details

Summary

Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.

Details

Formwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface. When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed. Any attempt to remove the tag from the affected post, causes the XSS to trigger once again.

Additionally, once the malicious tag is present, managing standard tags becomes impossible. This is due to script execution on attempted modification. This leads to a form of interface lockout where the payload continually reinserts itself due to the stored, unsafe rendering.

Impact

This is a stored cross‑site scripting (XSS) vulnerability.

This impacts all users who access the affected blog post’s edit page.

Patches

Formwork 2.2.0 ensures proper escaping of user input in tag fields.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getformwork/formwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-24T22:13:32Z",
    "nvd_published_at": "2025-11-26T00:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nInserting unsanitized data into the blog tag field in Formwork CMS results in stored cross\u2011site scripting (XSS).\nAny user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker\u2011controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.\n\n### Details\nFormwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface.  When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed.  Any attempt to remove the tag from the affected post, causes the XSS to trigger once again.\n\nAdditionally, once the malicious tag is present, managing standard tags becomes impossible. This is due to script execution on attempted modification. This leads to a form of interface lockout where the payload continually reinserts itself due to the stored, unsafe rendering.\n\n### Impact\nThis is a stored cross\u2011site scripting (XSS) vulnerability.\n\nThis impacts all users who access the affected blog post\u2019s edit page.\n\n### Patches\n[Formwork 2.2.0](https://github.com/getformwork/formwork/releases/tag/2.2.0) ensures proper escaping of user input in tag fields.",
  "id": "GHSA-7j46-f57w-76pj",
  "modified": "2026-02-18T23:48:02Z",
  "published": "2025-11-24T22:13:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/pull/791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getformwork/formwork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.