CVE-2025-32426 – verbb/formie

Package

Manager: composer
Name: verbb/formie
Vulnerable Version: >=0 <2.1.44

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00021 pctl0.03934

Details

Formie has XSS vulnerability for email notification content for preview ### Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

Metadata

Created: 2025-04-11T19:59:04Z
Modified: 2025-04-11T19:59:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-2xm2-23ff-p8ww/GHSA-2xm2-23ff-p8ww.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-2xm2-23ff-p8ww
Finding: F425
Auto approve: 1