Voozh

Formie has XSS vulnerability for email notification content for preview

Moderate severity GitHub Reviewed Published in verbb/formie • Updated

Package

verbb/formie (Composer)

Affected versions

<= 2.1.43

Patched versions

2.1.44

Description

Impact

It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email).

This would require access to the form's email notification settings.

Patches

This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

References

👁 @engram-design
engram-design published to verbb/formie

Published by the National Vulnerability Database

Published to the GitHub Advisory Database

Reviewed

Last updated

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

EPSS score

(8th percentile)

Weaknesses

CVE ID

CVE-2025-32426

GHSA ID

GHSA-2xm2-23ff-p8ww

Source code

verbb/formie

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-2xm2-23ff-p8ww

⇱ Formie has XSS vulnerability for email notification content for preview · CVE-2025-32426 · GitHub Advisory Database · GitHub