CVE-2025-65956: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
(updated )
Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.
References
- github.com/advisories/GHSA-7j46-f57w-76pj
- github.com/getformwork/formwork
- github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2
- github.com/getformwork/formwork/pull/791
- github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj
- nvd.nist.gov/vuln/detail/CVE-2025-65956
Code Behaviors & Features
Detect and mitigate CVE-2025-65956 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →