VulnerableCode Package Details - pkg:composer/getformwork/formwork@2.0.0-beta.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-am1a-amf4-v7gj Aliases: GHSA-c85w-x26q-ch87	Formwork improperly validates input of User role preventing site and panel availability ### Summary Improper validation of select fields allows attackers to craft an input that crashes the system, resulting in a 500 status and making the entire site and administration panel unavailable. This clearly impacts the Availability aspect of the CIA triad (confidentiality, integrity, and availability), although the attack still has certain limitations. ### Details The attack involves injecting any invalid user role value. Doing this will change the users data in a way that prevents users and then the entire site from loading. Even though the actual data change is minimal, the error is unrecoverable until a valid role parameter is restored by direct modification of the user account file. Proper validation of select fields will prevent extraneous valid from being accepted and making the entire site and administration panel unavailable. ### Patches - [Formwork 2.x (d9f0c1f)](https://github.com/getformwork/formwork/commit/d9f0c1feb3b9855d5bdc8bb189c0aaab2792e7ca) adds proper validation to select fields. ### Impact The condition for this attack is having high privileges or Admin access, which means it could be exploited by an Insider Threat. Alternatively, if an attacker gains access to a privileged user account, they can execute the attack as well. Overall, the attack is relatively difficult to carry out, but if successful, the impact and damage would be significant.	2.0.0-beta.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-apsg-z7ny-gkag Aliases: CVE-2025-65956 GHSA-7j46-f57w-76pj	Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.	2.2.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-am1a-amf4-v7gj
Aliases:
GHSA-c85w-x26q-ch87

Formwork improperly validates input of User role preventing site and panel availability ### Summary Improper validation of select fields allows attackers to craft an input that crashes the system, resulting in a 500 status and making the entire site and administration panel unavailable. This clearly impacts the Availability aspect of the CIA triad (confidentiality, integrity, and availability), although the attack still has certain limitations. ### Details The attack involves injecting any invalid user role value. Doing this will change the users data in a way that prevents users and then the entire site from loading. Even though the actual data change is minimal, the error is unrecoverable until a valid role parameter is restored by direct modification of the user account file. Proper validation of select fields will prevent extraneous valid from being accepted and making the entire site and administration panel unavailable. ### Patches - [**Formwork 2.x** (d9f0c1f)](https://github.com/getformwork/formwork/commit/d9f0c1feb3b9855d5bdc8bb189c0aaab2792e7ca) adds proper validation to select fields. ### Impact The condition for this attack is having high privileges or Admin access, which means it could be exploited by an Insider Threat. Alternatively, if an attacker gains access to a privileged user account, they can execute the attack as well. Overall, the attack is relatively difficult to carry out, but if successful, the impact and damage would be significant.

2.0.0-beta.4
Affected by 1 other vulnerability.

VCID-apsg-z7ny-gkag
Aliases:
CVE-2025-65956
GHSA-7j46-f57w-76pj

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

2.2.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-cyvu-6p8a-jfhz	Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.	CVE-2024-37160 GHSA-5pxr-7m4j-jjc6

Vulnerability

Summary

Aliases

VCID-cyvu-6p8a-jfhz

Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.

CVE-2024-37160
GHSA-5pxr-7m4j-jjc6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T15:11:32.551077+00:00	GitLab Importer	Fixing	VCID-cyvu-6p8a-jfhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/CVE-2024-37160.yml	38.6.0
2026-06-12T20:30:50.371163+00:00	GitLab Importer	Affected by	VCID-apsg-z7ny-gkag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/CVE-2025-65956.yml	38.6.0
2026-06-12T19:53:51.885139+00:00	GitLab Importer	Affected by	VCID-am1a-amf4-v7gj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/GHSA-c85w-x26q-ch87.yml	38.6.0
2026-06-12T07:44:21.274347+00:00	GithubOSV Importer	Fixing	VCID-cyvu-6p8a-jfhz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-5pxr-7m4j-jjc6/GHSA-5pxr-7m4j-jjc6.json	38.6.0
2026-06-11T20:35:15.657007+00:00	GHSA Importer	Fixing	VCID-cyvu-6p8a-jfhz	https://github.com/advisories/GHSA-5pxr-7m4j-jjc6	38.6.0