Miggo Logo
Miggo Vulnerability Database
CVE-2025-32426

CVE-2025-32426: Formie has XSS vulnerability for email notification content for preview

4.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-32426
GHSA ID
GHSA-2xm2-23ff-p8ww
EPSS Score
0.10855%
CWE
CWE-79
Published
4/11/2025
Updated
4/11/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/formiecomposer<= 2.1.432.1.44

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description states that it's possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. The provided commit information for 13bb967277f1b9f59dc0024e9e717795a250b805 shows a change in src/controllers/EmailController.php. Specifically, in the actionPreview method, the line 'body' => $email->getHtmlBody() was changed to 'body' => StringHelper::cleanString($email->getHtmlBody()). This indicates that the actionPreview method was previously rendering raw HTML obtained from $email->getHtmlBody() and was vulnerable to XSS. The getHtmlBody() method itself is the source of the potentially malicious content. The fix involves sanitizing this content using StringHelper::cleanString before it's used.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* to inj**t m*li*ious *o** into t** *TML *ont*nt o* *n *m*il noti*i**tion, w*i** is t**n r*n**r** on t** pr*vi*w. T**r* is no issu* w**n r*n**rin* t** *m*il vi* norm*l m**ns (* **liv*r** *m*il). T*is woul* r*quir* ****ss to t

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t it's possi*l* to inj**t m*li*ious *o** into t** *TML *ont*nt o* *n *m*il noti*i**tion, w*i** is t**n r*n**r** on t** pr*vi*w. T** provi*** *ommit in*orm*tion *or `****************************************` s*o