VulnerableCode Package Details - pkg:composer/getformwork/formwork@2.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-x5rd-94xr-xuea Aliases: CVE-2026-27198 GHSA-34p4-7w83-35g2	Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.	2.3.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-x5rd-94xr-xuea
Aliases:
CVE-2026-27198
GHSA-34p4-7w83-35g2

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

2.3.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-apsg-z7ny-gkag	Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.	CVE-2025-65956 GHSA-7j46-f57w-76pj

Vulnerability

Summary

Aliases

VCID-apsg-z7ny-gkag

Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0.

CVE-2025-65956
GHSA-7j46-f57w-76pj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:01:47.186233+00:00	GitLab Importer	Affected by	VCID-x5rd-94xr-xuea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/CVE-2026-27198.yml	38.6.0
2026-06-12T15:49:15.573728+00:00	GitLab Importer	Fixing	VCID-apsg-z7ny-gkag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getformwork/formwork/CVE-2025-65956.yml	38.6.0
2026-06-12T07:54:28.216644+00:00	GithubOSV Importer	Fixing	VCID-apsg-z7ny-gkag	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-7j46-f57w-76pj/GHSA-7j46-f57w-76pj.json	38.6.0
2026-06-11T20:36:50.630187+00:00	GHSA Importer	Fixing	VCID-apsg-z7ny-gkag	https://github.com/advisories/GHSA-7j46-f57w-76pj	38.6.0