formidable — CVE history (npm)
formidable
2 CVEs affect the formidable npm package (highest CVSS 9.8). Latest disclosed: 2025-04-26. Full CVE history sourced from NVD.
Summary
- Package
formidable(npm)- Total CVEs
2- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2025-04-26
Recent CVEs (top 2)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46653 | Low | 3.1 | — | 2025-04-26 | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario… |
CVE-2022-29622 | Critical | 9.8 | — | 2022-05-16 | An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. |
All-time worst (top 2 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-29622 | Critical | 9.8 | — | 2022-05-16 | An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. |
CVE-2025-46653 | Low | 3.1 | — | 2025-04-26 | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario… |