VYPR
Moderate severityNVD Advisory· Published Nov 25, 2025· Updated Nov 26, 2025

Formwork CMS Has a Stored Cross-Site Scripting (XSS) Vulnerability in Blog Tags

CVE-2025-65956

Description

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getformwork/formworkPackagist
< 2.2.02.2.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.