net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by CVE-2026-41240 via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: CVE-2026-41240 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16078388...

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by unknown CVE via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15874904...

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by unknown CVE via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15810939...

org.webjars.npm:formio__core (=2.6.0), org.webjars.npm:monaco-editor (=0.54.0) potentially affected by CVE-2025-15599 via org.webjars.npm:dompurify (>=3.1.7 <=3.2.4)

org.webjars.npm:dompurify MAVEN version =3.1.7, =3.2.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:dompurify and may be impacted: - org.webjars.npm:formiocore =2.6.0 - org.webjars.npm:monaco-editor =0.54.0 Source cves: CVE-2025-1559...

Improper Path Handling

formio is vulnerable to improper path handling. The vulnerability is due to improper validation of crafted request paths, which allows an unauthenticated or unauthorized attacker to bypass API access controls and retrieve data from protected endpoints...

Improper Handling of Case Sensitivity

Overview formio is an A Form and Data Management Platform for Progressive Web Applications Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of the path parameter. An attacker can gain unauthorized access to protected API endpoints by...

Improper Handling of Case Sensitivity

Overview org.webjars.npm:formio is an A Form and Data Management Platform for Progressive Web Applications Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of the path parameter. An attacker can gain unauthorized access to protected A...

EUVD-2025-202594

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...

CVE-2025-67718

Form.io exposes a path-handling vulnerability that can let unauthenticated/unauthorized requests access protected API endpoints by sending crafted request paths. Affected versions: 3.5.6 and earlier, and 4.0.0-rc.1 through 4.4.2. Impact is data exposure from endpoints that should be protected. Fi...

CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...

formio-workers (>=1.0.0 <=1.5.0), ng2-formio (>=1.0.0-rc.24 <=1.0.0-rc.28) +1 more potentially affected by CVE-2025-67718 via formio (=1.91.13)

formio NPM version =1.91.13 is affected by a known vulnerability. The following packages have a transitive dependency on formio and may be impacted: - formio-workers =1.0.0, =1.0.0-rc.24, =1.0.0-rc.28 - v-formio-custom-component =0.1.1 Source cves: CVE-2025-67718 Source advisory:...

GHSA-M654-769V-QJV7 Formio improperly authorized permission elevation through specially crafted request path

Security Advisory: Unauthorized permission elevation through specially crafted request path Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain...

Malicious code in formio-plugin-offline (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a2195f823022f5391d8bba5f8d4b40e82fc8c55a5a8521af8cb92add5c9317bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-2672 Malicious code in formio-plugin-offline (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a2195f823022f5391d8bba5f8d4b40e82fc8c55a5a8521af8cb92add5c9317bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in formio-tenant (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2c6b64a8b6a6d607401323c18ac8fb343218bcc9a2484cf780dcd896b39d438b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1811 Malicious code in formio-tenant (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2c6b64a8b6a6d607401323c18ac8fb343218bcc9a2484cf780dcd896b39d438b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Remote Code Execution

formio is vulnerable to remote code execution. The vulnerability exists when deleting default email template which allows an attacker to execute arbitrary code via ssti...

formio-workers (>=1.0.0 <=1.5.0), ng2-formio (>=1.0.0-rc.24 <=1.0.0-rc.28) +1 more potentially affected by CVE-2020-28246 via formio (=1.91.13)

formio NPM version =1.91.13 is affected by a known vulnerability. The following packages have a transitive dependency on formio and may be impacted: - formio-workers =1.0.0, =1.0.0-rc.24, =1.0.0-rc.28 - v-formio-custom-component =0.1.1 Source cves: CVE-2020-28246 Source advisory:...