Packagist (Composer) package
getformwork/formwork
pkg:composer/getformwork/formwork
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27198 | — | >= 2.0.0, < 2.3.4 | 2.3.4 | Feb 21, 2026 | Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the | ||
| CVE-2025-65956 | — | < 2.2.0 | 2.2.0 | Nov 25, 2025 | Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will h | ||
| CVE-2024-37160 | — | < 1.13.1 | 1.13.1 | Jun 7, 2024 | Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages | ||
| CVE-2024-35621 | Med | 4.8 | < 1.13.0 | 1.13.0 | May 28, 2024 | A cross-site scripting (XSS) vulnerability in the Edit function of Formwork before 1.13.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content field. | |
| CVE-2023-24230 | — | < 1.13.0 | 1.13.0 | Feb 10, 2023 | A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter. |
- CVE-2026-27198Feb 21, 2026affected >= 2.0.0, < 2.3.4fixed 2.3.4
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the
- CVE-2025-65956Nov 25, 2025affected < 2.2.0fixed 2.2.0
Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will h
- CVE-2024-37160Jun 7, 2024affected < 1.13.1fixed 1.13.1
Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages
- affected < 1.13.0fixed 1.13.0
A cross-site scripting (XSS) vulnerability in the Edit function of Formwork before 1.13.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content field.
- CVE-2023-24230Feb 10, 2023affected < 1.13.0fixed 1.13.0
A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter.