CVE-2025-32426

Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*

History

29 Sep 2025, 14:39

Type	Values Removed	Values Added
CPE	cpe:2.3:a:verbb:formie::::::::	cpe:2.3:a:verbb:formie::::::craft_cms::*

17 Sep 2025, 18:35

Type	Values Removed	Values Added
First Time		Verbb Verbb formie
References	~~() https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww -~~	() https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww - Vendor Advisory
Summary		(es) Formie es un complemento Craft CMS para crear formularios. Antes de la versión 2.1.44, es posible inyectar código malicioso en el contenido HTML de una notificación por correo electrónico, que luego se representa en la vista previa. No hay ningún problema al realizar el correo electrónico por medios normales (un correo electrónico entregado). Esto requeriría acceso a la configuración de notificación de correo electrónico del formulario. Esto se ha solucionado en Formie 2.1.44.
CPE		cpe:2.3:a:verbb:formie::::::::

11 Apr 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-11 14:15

Updated : 2025-09-29 14:39

NVD link : CVE-2025-32426

Mitre link : CVE-2025-32426

CVE.ORG link : CVE-2025-32426

JSON object : View

Products Affected

verbb

formie

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-32426", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-04-11T14:15:25.320", "references": [{"url": "https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44."}, {"lang": "es", "value": "Formie es un complemento Craft CMS para crear formularios. Antes de la versi\u00f3n 2.1.44, es posible inyectar c\u00f3digo malicioso en el contenido HTML de una notificaci\u00f3n por correo electr\u00f3nico, que luego se representa en la vista previa. No hay ning\u00fan problema al realizar el correo electr\u00f3nico por medios normales (un correo electr\u00f3nico entregado). Esto requerir\u00eda acceso a la configuraci\u00f3n de notificaci\u00f3n de correo electr\u00f3nico del formulario. Esto se ha solucionado en Formie 2.1.44."}], "lastModified": "2025-09-29T14:39:37.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*", "vulnerable": true, "matchCriteriaId": "C0F1ED41-D4CA-4683-864D-35E0F80CD6B8", "versionEndExcluding": "2.1.44"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}