GHSA-vf6x-59hh-332f: Formwork has a cross-site scripting (XSS) vulnerability in Site title

March 1, 2025 (updated March 17, 2025)

The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.

References

github.com/advisories/GHSA-vf6x-59hh-332f
github.com/getformwork/formwork
github.com/getformwork/formwork/commit/aa3e9c684035d9e8495169fde7c57d97faa3f9a2
github.com/getformwork/formwork/security/advisories/GHSA-vf6x-59hh-332f

Code Behaviors & Features

Detect and mitigate GHSA-vf6x-59hh-332f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →