GHSA-2xm2-23ff-p8ww: XSS
First published: Fri Apr 11 2025(Updated: )
### Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/verbb/formie | <=2.1.43 | 2.1.44 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-2xm2-23ff-p8ww?
GHSA-2xm2-23ff-p8ww is classified as a moderate severity vulnerability.
How do I fix GHSA-2xm2-23ff-p8ww?
To fix GHSA-2xm2-23ff-p8ww, upgrade to version 2.1.44 or later of the Verbb Formie package.
Who is affected by GHSA-2xm2-23ff-p8ww?
Users of Verbb Formie versions up to and including 2.1.43 are affected by GHSA-2xm2-23ff-p8ww.
What kind of attack is possible due to GHSA-2xm2-23ff-p8ww?
GHSA-2xm2-23ff-p8ww allows for the injection of malicious code into HTML content of email notifications.
What are the potential impacts of GHSA-2xm2-23ff-p8ww?
The potential impact of GHSA-2xm2-23ff-p8ww includes exploitation via email previews that can execute malicious code.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2xm2-23ff-p8ww
- alias/CVE-2025-32426
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/source
- agent/last-modified-date
- agent/softwarecombine
- agent/type
- agent/description
- agent/severity
- agent/first-publish-date
- agent/event
- agent/tags
- collector/github-advisory
- package-manager/composer