← volver
CVE-2025-32426

Formie has a XSS vulnerability for email notification content for preview

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.6EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
11 abr 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Productos afectados
verbb · formie

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww