CVE-2025-32426

Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*

History

No history.

Information

Published : 2025-04-11 14:15

Updated : 2025-09-29 14:39

NVD link : CVE-2025-32426

Mitre link : CVE-2025-32426

CVE.ORG link : CVE-2025-32426

JSON object : View

Products Affected

verbb

formie

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-32426", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-04-11T14:15:25.320", "references": [{"url": "https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44."}, {"lang": "es", "value": "Formie es un complemento Craft CMS para crear formularios. Antes de la versi\u00f3n 2.1.44, es posible inyectar c\u00f3digo malicioso en el contenido HTML de una notificaci\u00f3n por correo electr\u00f3nico, que luego se representa en la vista previa. No hay ning\u00fan problema al realizar el correo electr\u00f3nico por medios normales (un correo electr\u00f3nico entregado). Esto requerir\u00eda acceso a la configuraci\u00f3n de notificaci\u00f3n de correo electr\u00f3nico del formulario. Esto se ha solucionado en Formie 2.1.44."}], "lastModified": "2025-09-29T14:39:37.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*", "vulnerable": true, "matchCriteriaId": "C0F1ED41-D4CA-4683-864D-35E0F80CD6B8", "versionEndExcluding": "2.1.44"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}