Vulnerability Database

315,294

Total vulnerabilities in the database

Formwork has a cross-site scripting (XSS) vulnerability in Site title

Summary

The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.

Impact

The attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability.

Patches

Formwork 2.x (aa3e9c6) escapes site title from panel header navigation.

Details

By embedding "<!--", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.

PoC

The page where the vulnerability was found, and the attack surface is the Title field.
I tested accessing the Dashboard page using a regular user account with Firefox, a different browser, and found that it was also affected.
Additionally, the remaining code was commented out to disrupt the UX/UI, making it difficult to revert the settings.

Published: Mar 1, 2025
Updated: Apr 30, 2025
GHSA: GHSA-vf6x-59hh-332f
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWEs:

CWE-80

Affected Software
References

Software	From	Fixed in
getformwork / formwork	2.0.0-beta.3	2.0.0-beta.3.x
getformwork / formwork	2.0.0-beta.3	2.0.0-beta.4

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo