CVE-2025-64515

MEDIUM

Open Forms < 3.2.7 - Improper Input Validation in Prefill Data Fields

Title source: llm

Description

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3.

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf

Release Notes x_refsource_misc

https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18

Release Notes x_refsource_misc

https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18

View Writeup ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0023

EPSS Percentile 13.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (1)

maykinmedia/open_forms < 3.2.7

Published Nov 18, 2025

Tracked Since Feb 18, 2026