Unrated severityNVD Advisory· Published Nov 18, 2025· Updated Nov 19, 2025

Open Forms prefill data in read-only components can be tampered

CVE-2025-64515

Description

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3.

Affected products

Open Forms/Open Formsllm-create
Range: <3.3.3
open-formulieren/open-formsv5
Range: >= 3.3.0, < 3.3.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rstmitrex_refsource_MISC
github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rstmitrex_refsource_MISC
github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvfmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000