Moderate severityNVD Advisory· Published Nov 25, 2025· Updated Nov 26, 2025
Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags
CVE-2025-65956
Description
Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getformwork/formworkPackagist | < 2.2.0 | 2.2.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7j46-f57w-76pjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65956ghsaADVISORY
- github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2ghsax_refsource_MISCWEB
- github.com/getformwork/formwork/pull/791ghsax_refsource_MISCWEB
- github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.