CVE-2022-23598

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the formElementErrors() view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack. Versions 3.1.1 and above contain a patch to mitigate the vulnerability. A workaround is available. One may manually place code at the top of a view script where one calls the formElementErrors() view helper. More information about this workaround is available on the GitHub Security Advisory.

Published: Jan 28, 2022
Updated: Nov 16, 2025
CVE: CVE-2022-23598
GHSA: GHSA-jq4p-mq33-w375
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
getlaminas / laminas-form	-	2.17.1
getlaminas / laminas-form	3.1.0	3.1.0.x
getlaminas / laminas-form	3.0.0	3.0.2
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
laminas / laminas-form	3.1.0	3.1.1
laminas / laminas-form	3.0.0	3.0.2
laminas / laminas-form	-	2.17.1

Vulnerability Database

322,904

CVE-2022-23598

Deep Security Visibility Without the Complexity