CVE-2025-65956 is a stored cross-site scripting (XSS) vulnerability identified in the Formwork CMS, a flat file-based content management system. The vulnerability exists in versions prior to 2.2.0 and is caused by improper neutralization of input during web page generation, specifically in the blog tag field. Attackers who have valid credentials to the CMS can insert malicious JavaScript code into this field without proper sanitization. When an administrator or any privileged user accesses or edits the affected blog post, the injected script executes within their browser context. This persistent XSS flaw can be exploited to hijack user sessions, steal authentication tokens, perform unauthorized actions on behalf of the user, or pivot further into the network. The vulnerability impacts confidentiality, integrity, and availability of administrative workflows, as the attacker-controlled script runs with the privileges of the authenticated user. Exploitation requires authentication and user interaction (viewing or editing the post), but no complex attack vectors or elevated privileges beyond normal CMS user rights are necessary. The vulnerability has been assigned a CVSS v3.1 score of 6.5, indicating a medium severity level. The vendor has addressed the issue in Formwork version 2.2.0 by implementing proper input sanitization and output encoding to prevent script injection. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to organizations relying on Formwork CMS for content management, especially those with multiple administrators or privileged users.

For European organizations using Formwork CMS, this vulnerability poses a risk primarily to administrative users who manage website content. Successful exploitation can lead to session hijacking, credential theft, and unauthorized administrative actions, potentially resulting in website defacement, data leakage, or further compromise of internal systems. The persistence of the injected script means that multiple users can be affected over time, increasing the attack surface. Given that Formwork is a CMS, organizations in sectors such as media, education, government, and small to medium enterprises that rely on this platform for public-facing websites are at risk. The impact extends beyond the website itself, as compromised administrative accounts can be leveraged to access internal networks or sensitive data. Additionally, the vulnerability could be used to distribute malware or phishing content to site visitors if attackers escalate privileges or inject malicious payloads. The requirement for authentication limits exposure to external unauthenticated attackers but does not eliminate risk from insider threats or compromised credentials. The medium severity rating suggests that while the vulnerability is not trivially exploitable by outsiders, it still warrants prompt remediation to protect critical administrative workflows and maintain trust in web services.

European organizations should immediately upgrade Formwork CMS to version 2.2.0 or later, where the vulnerability is patched. Until the upgrade can be performed, administrators should restrict access to the CMS to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Regularly audit user accounts and permissions to ensure that only necessary personnel have administrative privileges. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting the execution of unauthorized scripts. Monitor CMS logs and web traffic for unusual activity indicative of exploitation attempts. Educate CMS users about the risks of XSS and the importance of cautious interaction with content, especially when editing or reviewing blog posts. Consider deploying web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the blog tag field. Finally, conduct periodic security assessments of the CMS environment to identify and remediate any residual or related vulnerabilities.