CVE-2025-32426: Formie has XSS vulnerability for email notification content for preview

April 11, 2025

It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email).

This would require access to the form’s email notification settings.

References

github.com/advisories/GHSA-2xm2-23ff-p8ww
github.com/verbb/formie
github.com/verbb/formie/security/advisories/GHSA-2xm2-23ff-p8ww
nvd.nist.gov/vuln/detail/CVE-2025-32426

Code Behaviors & Features

Detect and mitigate CVE-2025-32426 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →