Getformwork Formwork vulnerabilities
5 known vulnerabilities affecting getformwork/formwork.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2026-27198P2HIGHCVSS 8.8v>= 2.0.0, < 2.3.42026-02-21
CVE-2026-27198 [HIGH] CWE-269 CVE-2026-27198: Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles
ghsanvdosv
CVE-2025-65956P4MEDIUMCVSS 5.4fixed in 2.2.02025-11-26
CVE-2025-65956 [MEDIUM] CWE-79 CVE-2025-65956: Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting uns
Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is p
ghsanvdosv
CVE-2024-37160P4MEDIUMCVSS 4.8fixed in 1.13.1v= 2.0.0-beta.12024-06-07
CVE-2024-37160 [MEDIUM] CWE-79 CVE-2024-37160: Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator
Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.
ghsanvdosv
CVE-2024-35621P4MEDIUMCVSS 4.8≥ 0, < 1.13.02024-05-28
CVE-2024-35621 [MEDIUM] CWE-79 formwork Cross-site scripting vulnerability in Markdown fields
formwork Cross-site scripting vulnerability in Markdown fields
### Impact
Users with access to the administration panel with page editing permissions could insert `` tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.
### Patches
- [**Formwork 1.13.0**](https://github.com/getformwork/formwork/releases/tag/1.13.0) has been released wit
ghsaosv
CVE-2023-24230P4MEDIUM≥ 0, < 1.13.02023-02-10
CVE-2023-24230 [MEDIUM] CWE-79 Formwork Cross-site Scripting (XSS) from Page title field
Formwork Cross-site Scripting (XSS) from Page title field
### Description
A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.
Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.
### Patched versions
This v
ghsaosv