Information disclosure in Formio
CVE-2025-67718
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a cra…
EPSS: 0.003 (20.4th percentile) — read the EPSS interpretation.
Affected products
- Formio — versions < 3.5.7, >= 4.0.0-rc.1, < 4.4.3
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)