CVE-2025-56236
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-09-09

Assigner: MITRE

Description
FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-09-09
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-56236
EUVD
EUVD-2025-26075
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
formcms formcms From 0.5.5 (inc) to 0.5.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in FormCms version 0.5.5. Authenticated users can upload malicious .html files via the avatar upload feature. These files are stored publicly without access control. When a privileged user accesses the malicious file URL, the embedded JavaScript runs in their browser, allowing the attacker to execute unauthorized actions within the application. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker to execute malicious scripts in the context of privileged users, such as Super Admins. This can lead to unauthorized API actions including full Create, Read, Update, and Delete (CRUD) operations on users, roles, and other sensitive data, potentially compromising the entire application and its data integrity. [1]

Detection Guidance

You can detect this vulnerability by checking for the presence of malicious .html files uploaded via the avatar upload endpoint (/api/profile/avatar). One approach is to monitor HTTP requests to this endpoint for file uploads with .html extensions. Additionally, you can scan the publicly accessible directory /files/avatar/ for unexpected .html files. For example, using curl or wget to list or retrieve files from /files/avatar/ and inspecting them for embedded JavaScript. Commands might include: 1) Monitoring upload requests: curl -X POST -F "[email protected]" https://yourformcmsdomain/api/profile/avatar 2) Listing files: curl https://yourformcmsdomain/files/avatar/ 3) Inspecting suspicious files: curl https://yourformcmsdomain/files/avatar/[random-id].html | grep '<script>' However, since the exact random IDs are needed, monitoring logs for upload activity and reviewing uploaded file types is essential. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict or disable the ability for authenticated users to upload .html files via the avatar upload endpoint. 2) Implement server-side validation to block uploads of files with .html extensions or any files containing executable scripts. 3) Apply access controls to the /files/avatar/ directory to prevent public access to uploaded files. 4) Inform privileged users to avoid visiting suspicious URLs related to avatar files until a patch is applied. 5) Monitor and remove any malicious .html files already uploaded. These steps reduce the risk of stored XSS exploitation until an official patch or update is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart