6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65956

GHSA ID

GHSA-7j46-f57w-76pj

EPSS Score

CWE

CWE-79

Published

11/24/2025

Updated

11/24/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65956

CVE-2025-65956: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary

Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated.

Details

Formwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface. When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed. Any attempt to remove the tag from the affected post, causes the XSS to trigger once again.

Additionally, once the malicious tag is present, managing standard tags becomes impossible. This is due to script execution on attempted modification. This leads to a form of interface lockout where the payload continually reinserts itself due to the stored, unsafe rendering.

PoC

Log into the CMS as any user.
Select "pages"
<img width="179" height="354" alt="image" src="https://github.com/user-attachments/assets/1d96449c-cc48-45bd-9d66-e6b3068edbfe" />
Select any page utilizing the "Blog Post" template. In this scenario I use the default "Coffee, Mornings and Ideas" page.
<img width="841" height="96" alt="image" src="https://github.com/user-attachments/assets/6c22bbbf-654d-449d-ab21-0443a12510de" />
Insert the malicious payload:
<img width="872" height="202" alt="image" src="https://github.com/user-attachments/assets/a8c1af89-5c71-425d-8beb-c1e21a336440" />
Select Save.
<img width="960" height="430" alt="image" src="https://github.com/user-attachments/assets/956182a6-d91e-4ae1-9b8c-cee60f452b3f" />

Impact

This is a stored cross‑site scripting (XSS) vulnerability.

This impacts all users who access the affected blog post’s edit page.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65956

CVE-2025-65956:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65956

GHSA ID

GHSA-7j46-f57w-76pj

EPSS Score

CWE

CWE-79

Published

11/24/2025

Updated

11/24/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getformwork/formwork	composer	< 2.2.0	2.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue within the Formwork CMS, specifically affecting the blog tags functionality. The root cause of this vulnerability is the improper handling of user-supplied input, which is then rendered into the web page without adequate sanitization. The application uses the innerHTML property to display user-provided content, such as blog tags, filenames, and search queries. This allows an attacker to inject malicious HTML and JavaScript code, which gets stored on the server and executed in the browser of any user viewing the compromised content.

The investigation of the provided patch https://github.com/getformwork/formwork/pull/791 confirms this analysis. The patch addresses the vulnerability by replacing the unsafe usage of innerHTML with the safer innerText property in multiple locations. The innerText property treats the input as plain text, preventing the browser from interpreting it as HTML. In cases where HTML rendering is required, the patch introduces and uses a new escapeHtml function to sanitize the input before it is rendered. This comprehensive approach of replacing innerHTML and adding escaping where necessary effectively mitigates the XSS vulnerability across different components of the application, including the TagsInput, UploadInput, and Pages views.

Vulnerable functions

TagsInput.insertTag

panel/src/ts/components/inputs/tags-input.ts

The `insertTag` function in the `TagsInput` class was vulnerable to stored XSS. It used the `innerHTML` property to set the content of a tag element directly from the `value` parameter. An attacker could provide a malicious string containing HTML and script tags as a tag value. This malicious tag would be saved and then rendered on the page when the blog post is viewed or edited, leading to script execution in the user's browser. The patch mitigates this by replacing `innerHTML` with `innerText`, which treats the input as plain text and does not parse it as HTML.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65956: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary

Details

PoC

Impact

CVE-2025-65956:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

CVE-2025-65956: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary

Details

PoC

Impact

6.5

6.5

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65956: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary

Details

PoC

Impact

CVE-2025-65956:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-65956: Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary

Details

PoC

Impact

6.5

6.5

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI