CVE-2025-55797 is an improper access control vulnerability identified in FormCms version 0.5.4. The flaw exists in the /api/schemas/history/[schemaId] endpoint, which is designed to provide access to historical schema data. Due to insufficient access control mechanisms, unauthenticated attackers can retrieve sensitive historical schema information simply by knowing or guessing a valid schemaId. This vulnerability does not require authentication or user interaction, making it easier to exploit. The exposure of historical schema data could reveal sensitive structural or configuration information about the CMS, potentially aiding further attacks such as data exfiltration, privilege escalation, or targeted exploitation of the CMS or connected systems. Although no known exploits are reported in the wild yet, the vulnerability’s presence in a publicly accessible API endpoint and the lack of authentication controls make it a significant risk. The absence of a CVSS score suggests that the vulnerability is newly disclosed and not yet fully assessed, but the nature of the flaw indicates a serious security concern.

For European organizations using FormCms, this vulnerability could lead to unauthorized disclosure of sensitive schema data, which may include metadata about forms, data structures, or business logic embedded in the CMS. Such information leakage can facilitate more sophisticated attacks, including data breaches or manipulation of CMS content. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, could face compliance violations if sensitive data is exposed. Additionally, the vulnerability could undermine trust in the affected CMS platform, potentially disrupting business operations and damaging reputations. Since the vulnerability allows unauthenticated access, attackers can exploit it remotely without prior access, increasing the risk of widespread exploitation if the CMS is publicly accessible. The impact is heightened in environments where FormCms is integrated with other critical systems or stores sensitive user data.

To mitigate this vulnerability, organizations should immediately restrict access to the /api/schemas/history/[schemaId] endpoint by implementing robust authentication and authorization controls, ensuring only authorized users can query historical schema data. If possible, disable or restrict the API endpoint until a vendor patch or update is available. Conduct a thorough audit of all API endpoints to verify proper access controls are in place. Employ rate limiting and monitoring to detect unusual access patterns that may indicate exploitation attempts. Additionally, organizations should maintain an inventory of all FormCms instances and ensure they are updated to the latest secure versions once patches are released. Network segmentation and web application firewalls (WAFs) can provide additional layers of defense by blocking unauthorized API requests. Finally, educating developers and administrators about secure API design and access control best practices will help prevent similar vulnerabilities in the future.