CVE-2025-32427

Name of the Vulnerable Software and Affected Versions: Formie versions prior to 2.1.44

Description: The issue arises when importing a form from JSON into Formie, a Craft CMS plugin for creating forms. If the field label or handle contains malicious content, the output is not correctly escaped when viewing a preview of what is to be imported. This can lead to a cross-site scripting issue. The vulnerability is considered moderate because it primarily affects users who have exported the form from one environment to another and would require direct manipulation of the JSON export. It is noted that this vulnerability will not occur unless someone deliberately tampers with the export.

Recommendations: For versions prior to 2.1.44, update to version 2.1.44 to resolve the issue. As a temporary workaround, consider avoiding the import of forms from untrusted JSON sources and ensure that any JSON exports are thoroughly reviewed for malicious content before import. Restrict access to the form import functionality to minimize the risk of exploitation.