VulnerableCode Package Details - pkg:composer/getformwork/formwork@2.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-apsg-z7ny-gkag Aliases: CVE-2025-65956 GHSA-7j46-f57w-76pj	Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.	2.2.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-x5rd-94xr-xuea Aliases: CVE-2026-27198 GHSA-34p4-7w83-35g2	Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.	2.3.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-apsg-z7ny-gkag
Aliases:
CVE-2025-65956
GHSA-7j46-f57w-76pj

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

2.2.0
Affected by 1 other vulnerability.

VCID-x5rd-94xr-xuea
Aliases:
CVE-2026-27198
GHSA-34p4-7w83-35g2

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

2.3.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:30:50.398835+00:00	GitLab Importer	Affected by	VCID-apsg-z7ny-gkag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/CVE-2025-65956.yml	38.6.0
2026-06-12T15:50:31.426037+00:00	GitLab Importer	Affected by	VCID-x5rd-94xr-xuea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/CVE-2026-27198.yml	38.6.0
2026-06-11T20:38:04.267085+00:00	GHSA Importer	Affected by	VCID-x5rd-94xr-xuea	https://github.com/advisories/GHSA-34p4-7w83-35g2	38.6.0