Code Injection Vulnerability in Formie - Craft CMS Plugin by Verbb
CVE-2025-32426

4.6MEDIUM

Key Information:

Vendor: Verbb
Status: Formie
Vendor: CVE Published:; 11 April 2025

What is CVE-2025-32426?

The Formie plugin for Craft CMS is vulnerable due to a flaw that allows attackers to inject malicious code into the HTML content of email notifications. This vulnerability exists in versions prior to 2.1.44, where an attacker with access to the form's email notification settings could manipulate the content, which is then rendered in the email preview. This issue is not present when emails are delivered normally. The vulnerability has been addressed in the latest release of Formie.

Affected Version(s)

formie < 2.1.44

References

https://github.com/verbb/formie/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2025
Vulnerability Reserved
Apr 8, 2025

CVE-2025-32426 Data

JSON