CVE-2026-4388

Name of the Vulnerable Software and Affected Versions Form Maker by 10Web versions prior to 1.15.41

Description Stored Cross-Site Scripting is possible via the Matrix field (Text Box input type) in form submissions. The issue arises from insufficient input sanitization using the sanitize text field function, which removes tags but fails to strip quotes, combined with a lack of output escaping when rendering submission data in the admin Submissions view. This allows unauthenticated attackers to inject arbitrary JavaScript that executes in the browser of an administrator viewing the submission details.

Recommendations Update to a version later than 1.15.40.