Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/verbb/formie@1.5.3

Type composer

Namespace verbb

Name formie

Version 1.5.3

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.1.44

Latest_non_vulnerable_version 3.1.26

Affected_by_vulnerabilities

url VCID-237b-84p9-qud9

vulnerability_id VCID-237b-84p9-qud9

summary Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-35191

reference_id

reference_type

scores

value	0.00218
scoring_system	epss
scoring_elements	0.4459
published_at	2026-06-12T12:55:00Z

value	0.00218
scoring_system	epss
scoring_elements	0.44608
published_at	2026-06-13T12:55:00Z

value	0.00218
scoring_system	epss
scoring_elements	0.44437
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-35191

reference_url

https://github.com/verbb/formie

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/verbb/formie

reference_url

https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

reference_id

90296edf7e707f117e760aa57e70dbd43a854420

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-21T14:44:43Z/

url

https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-35191

reference_id

CVE-2024-35191

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-35191

reference_url

https://github.com/advisories/GHSA-v45m-hxqp-fwf5

reference_id

GHSA-v45m-hxqp-fwf5

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v45m-hxqp-fwf5

reference_url

https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

reference_id

GHSA-v45m-hxqp-fwf5

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-21T14:44:43Z/

url

https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

fixed_packages

url pkg:composer/verbb/formie@2.1.6

purl pkg:composer/verbb/formie@2.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-mm7u-1vux-abfn

vulnerability	VCID-usyq-pzkz-jfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/verbb/formie@2.1.6

aliases CVE-2024-35191, GHSA-v45m-hxqp-fwf5

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-237b-84p9-qud9

url VCID-mm7u-1vux-abfn

vulnerability_id VCID-mm7u-1vux-abfn

summary Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-32426

reference_id

reference_type

scores

value	0.00349
scoring_system	epss
scoring_elements	0.5792
published_at	2026-06-13T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57792
published_at	2026-06-11T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57904
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-32426

reference_url

https://github.com/verbb/formie

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/verbb/formie

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-32426

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-32426

reference_url	https://github.com/advisories/GHSA-2xm2-23ff-p8ww
reference_id	GHSA-2xm2-23ff-p8ww
reference_type
scores
url	https://github.com/advisories/GHSA-2xm2-23ff-p8ww

reference_url

https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww

reference_id

GHSA-2xm2-23ff-p8ww

reference_type

scores

value	4.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:16:09Z/

url

https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww

fixed_packages

url	pkg:composer/verbb/formie@2.1.44
purl	pkg:composer/verbb/formie@2.1.44
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/verbb/formie@2.1.44

url pkg:composer/verbb/formie@3.0.0-beta.1

purl pkg:composer/verbb/formie@3.0.0-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wcj3-p93t-9ybw

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/verbb/formie@3.0.0-beta.1

aliases CVE-2025-32426, GHSA-2xm2-23ff-p8ww

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7u-1vux-abfn

url VCID-usyq-pzkz-jfdw

vulnerability_id VCID-usyq-pzkz-jfdw

summary Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. This vulnerability is fixed in 2.1.44.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-32427

reference_id

reference_type

scores

value	0.00349
scoring_system	epss
scoring_elements	0.5792
published_at	2026-06-13T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57792
published_at	2026-06-11T12:55:00Z

value	0.00349
scoring_system	epss
scoring_elements	0.57904
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-32427

reference_url

https://github.com/verbb/formie

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/verbb/formie

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-32427

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-32427

reference_url	https://github.com/advisories/GHSA-p9hh-mh5x-wvx3
reference_id	GHSA-p9hh-mh5x-wvx3
reference_type
scores
url	https://github.com/advisories/GHSA-p9hh-mh5x-wvx3

reference_url

https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3

reference_id

GHSA-p9hh-mh5x-wvx3

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-11T14:47:43Z/

url

https://github.com/verbb/formie/security/advisories/GHSA-p9hh-mh5x-wvx3

fixed_packages

url	pkg:composer/verbb/formie@2.1.44
purl	pkg:composer/verbb/formie@2.1.44
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/verbb/formie@2.1.44

url pkg:composer/verbb/formie@3.0.0-beta.1

purl pkg:composer/verbb/formie@3.0.0-beta.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wcj3-p93t-9ybw

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/verbb/formie@3.0.0-beta.1

aliases CVE-2025-32427, GHSA-p9hh-mh5x-wvx3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-usyq-pzkz-jfdw

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/verbb/formie@1.5.3

Package Instance