CVE-2025-65956
published 2025-11-26CVE-2025-65956: Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.17%
7.1th percentile
Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| formwork_project | formwork | < 2.2.0 | 2.2.0 |
| getformwork | formwork | < 2.2.0 | 2.2.0 |
| getformwork | formwork | >= 0 < 2.2.0 | 2.2.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
ghsa·2025-11-24
CVE-2025-65956 [MEDIUM] CWE-79 Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
### Summary
Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS).
Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.
### Details
Formwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface. When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed. Any attempt to remove the tag from the affected post, causes the XSS to trigger once again.
Addit
OSV
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
osv·2025-11-24
CVE-2025-65956 [MEDIUM] Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
### Summary
Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS).
Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.
### Details
Formwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface. When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed. Any attempt to remove the tag from the affected post, causes the XSS to trigger once again.
Addit
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-26
Published