Information disclosure in Formio

CVE-2025-67718

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a cra…

EPSS: 0.003 (20.4th percentile) — read the EPSS interpretation.

Affected products

  • Formio — versions < 3.5.7, >= 4.0.0-rc.1, < 4.4.3

Weakness classification (CWE)

References