CVE-2025-32426: Formie has a XSS vulnerability for email notification content for preview

4.6 CVSS

Description

Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.

Classification

CVE ID: CVE-2025-32426

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: verbb

Product: formie

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.8% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32426
https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww

Timeline

2025-04-11 14:40:09 UTC
CVE

Formie has a XSS vulnerability for email notification content for preview
2025-04-11 20:15:28 UTC
Github Advisory Database (Composer)

[verbb/formie] Formie has XSS vulnerability for email notification content for preview