VYPR
← All advisories
Medium severity4.8OSV Advisory· Published May 28, 2024· Updated Apr 15, 2026

CVE-2024-35621

CVE-2024-35621

Description

A cross-site scripting (XSS) vulnerability in the Edit function of Formwork before 1.13.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Formwork's Edit function before 1.13.0 allows attackers to inject arbitrary scripts via the Content field.

Vulnerability

Description CVE-2024-35621 describes a cross-site scripting (XSS) vulnerability in the Edit function of Formwork, a flat-file CMS. The vulnerability exists because the Markdown parser processes user-supplied content without escaping HTML, allowing attackers to inject arbitrary web scripts or HTML. The official description indicates that a crafted payload in the Content field can execute scripts in the context of the victim's browser [1].

Attack

Vector To exploit this vulnerability, an attacker must have access to the content editing functionality, which is typically limited to authenticated administrative users. The attacker injects malicious HTML or JavaScript into the Content field when creating or editing a page. The stored payload then executes when any user views the page, leading to a stored XSS attack. No special network position is required beyond access to the editing interface [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary web scripts in the browser of any user viewing the affected page. This can lead to session hijacking, defacement, or redirection to malicious sites, depending on the attacker's objective. The CVSS v3.1 score of 4.8 (Medium) reflects the need for authenticated access and the potential for moderate impact [1].

Mitigation

The vulnerability is patched in Formwork version 1.13.0. The fix introduces a content.safeMode option (enabled by default) that escapes HTML input and disallows unsafe links in Markdown processing. Additionally, the DisallowedRawHtmlExtension is added to the CommonMark parser, preventing raw HTML from being rendered [3][4]. Users should upgrade to version 1.13.0 or later to mitigate the risk.

References
  1. NVD - CVE-2024-35621
  2. GitHub - getformwork/formwork: 🏗 Formwork is a simple, fast and flexible flat-file CMS that allows you to create and manage websites without the need for a database
  3. Add `content.safe_mode` option · getformwork/formwork@2d92e6d
  4. Add `content.safeMode` (enabled by default) to avoid XSS vulnerabilities · getformwork/formwork@6adc302

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getformwork/formworkPackagist
< 1.13.01.13.0

Affected products

1

Patches

3
02304ff31655
https://github.com/getformwork/formworkvia osv
commit
6adc302f5a29

Add `content.safeMode` (enabled by default) to avoid XSS vulnerabilities

https://github.com/getformwork/formworkGiuseppe CriscioneMay 25, 2024via ghsa
commit
2 files changed · +12 1
  • formwork/config/system.yaml+1 0 modified
    @@ -23,6 +23,7 @@ charset: utf-8
 content:
     path: '${%ROOT_PATH%}/site/content'
     extension: .md
+    safeMode: true
 
 date:
     dateFormat: Y-m-d
  • formwork/src/Parsers/Markdown.php+11 1 modified
    @@ -2,9 +2,11 @@
 
 namespace Formwork\Parsers;
 
+use Formwork\App;
 use Formwork\Parsers\Extensions\CommonMark\LinkBaseExtension;
 use League\CommonMark\Environment\Environment;
 use League\CommonMark\Extension\CommonMark\CommonMarkCoreExtension;
+use League\CommonMark\Extension\DisallowedRawHtml\DisallowedRawHtmlExtension;
 use League\CommonMark\Extension\Table\TableExtension;
 use League\CommonMark\MarkdownConverter;
 
@@ -17,11 +19,19 @@ class Markdown extends AbstractParser
      */
     public static function parse(string $input, array $options = []): string
     {
-        $environment = new Environment(['formwork' => $options]);
+        $safeMode = App::instance()->config()->get('system.content.safeMode', true);
+
+        $environment = new Environment([
+            'html_input'         => $safeMode ? 'escape' : 'allow',
+            'allow_unsafe_links' => false,
+            'max_nesting_level'  => 10,
+            'formwork'           => $options,
+        ]);
 
         $environment->addExtension(new CommonMarkCoreExtension());
         $environment->addExtension(new TableExtension());
         $environment->addExtension(new LinkBaseExtension());
+        $environment->addExtension(new DisallowedRawHtmlExtension());
 
         $markdownConverter = new MarkdownConverter($environment);
2d92e6dbf99a

Add `content.safe_mode` option

https://github.com/getformwork/formworkGiuseppe CriscioneMay 25, 2024via ghsa
commit
2 files changed · +12 1
  • formwork/Core/Formwork.php+3 1 modified
    @@ -144,6 +144,7 @@ public function defaults(): array
             'languages.http_preferred' => false,
             'content.path'             => ROOT_PATH . 'content' . DS,
             'content.extension'        => '.md',
+            'content.safe_mode'        => true,
             'files.allowed_extensions' => ['.jpg', '.jpeg', '.png', '.gif', '.svg', '.webp', '.pdf'],
             'parsers.use_php_yaml'     => 'parse',
             'templates.path'           => ROOT_PATH . 'templates' . DS,
@@ -338,7 +339,8 @@ protected function defaultRoute(): callable
                 }
                 if ($this->option('cache.enabled') && ($page->has('publish-date') || $page->has('unpublish-date'))) {
                     if (($page->published() && !$this->site->modifiedSince(Date::toTimestamp($page->get('publish-date'))))
-                    || (!$page->published() && !$this->site->modifiedSince(Date::toTimestamp($page->get('unpublish-date'))))) {
+                        || (!$page->published() && !$this->site->modifiedSince(Date::toTimestamp($page->get('unpublish-date'))))
+                    ) {
                         // Clear cache if the site was not modified since the page has been published or unpublished
                         $this->cache->clear();
                         FileSystem::touch($this->option('content.path'));
  • formwork/Parsers/Extensions/ParsedownExtra.php+9 0 modified
    @@ -14,6 +14,15 @@ class ParsedownExtra extends \ParsedownExtra
      */
     protected $baseRoute;
 
+    /**
+     * @inheritdoc
+     */
+    public function __construct()
+    {
+        parent::__construct();
+        $this->setSafeMode(Formwork::instance()->option('content.safe_mode'));
+    }
+
     /**
      * @inheritdoc
      */

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.