CVE-2025-32426

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

ormie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. This has been fixed in Formie 2.1.44.

References

Link	Resource
https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:verbb:formie:*:*:*:*:*:craft_cms:*:*

History

29 Sep 2025, 14:39

Type	Values Removed	Values Added
References	~~() https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww -~~	() https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww - Vendor Advisory
First Time		Verbb formie Verbb
CPE		cpe:2.3:a:verbb:formie::::::craft_cms::*
References	~~() https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww -~~	() https://github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww - Vendor Advisory
Summary		(es) Formie es un complemento Craft CMS para crear formularios. Antes de la versión 2.1.44, es posible inyectar código malicioso en el contenido HTML de una notificación por correo electrónico, que luego se representa en la vista previa. No hay ningún problema al realizar el correo electrónico por medios normales (un correo electrónico entregado). Esto requeriría acceso a la configuración de notificación de correo electrónico del formulario. Esto se ha solucionado en Formie 2.1.44.
CPE		cpe:2.3:a:verbb:formie::::::craft_cms::*
First Time		Verbb formie Verbb

11 Apr 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-11 14:15

Updated : 2025-09-29 14:39

NVD link : CVE-2025-32426

Mitre link : CVE-2025-32426

CVE.ORG link : CVE-2025-32426

JSON object : View

Products Affected

verbb

formie

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.6 /10