Is there a public PoC exploit available for CVE-2025-11437?

Yes, a public proof-of-concept exploit is available for CVE-2025-11437. Prioritise patching immediately. EPSS: 0.0%.

JhumanJ OpnForm CVE-2025-11437

Q: What is the CVSS score of CVE-2025-11437?

CVE-2025-11437 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-08 cna@vuldb.com

XSS Opnform

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:33 vuln.today

DescriptionCVE.org

A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector.

AnalysisAI

Cross-site scripting vulnerability in JhumanJ OpnForm up to version 1.9.3 allows authenticated remote attackers with high privileges to inject malicious scripts via the Form Editor component at /api/open/forms/. The vulnerability requires user interaction to trigger and is mitigated by default when users configure their own domain. Publicly available exploit code exists, though real-world risk is severely constrained by the high privilege requirement, user interaction dependency, and vendor's default mitigation posture (CVSS 1.9, EPSS 0.03%).

Technical ContextAI

The vulnerability is a classic stored or reflected cross-site scripting (CWE-79) flaw in the Form Editor component of OpnForm, a form-building platform. The affected endpoint /api/open/forms/ fails to properly sanitize or validate user input before rendering it in a web context, allowing malicious JavaScript to be injected. The CPE indicates all versions up to 1.9.3 of the jhumanj:opnform package are vulnerable. The attack vector is network-accessible, but exploitation requires high-privilege credentials (PR:H) and user interaction (UI:P), significantly limiting the practical attack surface compared to a typical unauthenticated XSS.

RemediationAI

Upgrade to a patched version beyond 1.9.3 once available from the vendor; consult the JhumanJ project repository or release notes for the exact fix version. Until an upgrade is feasible, the vendor-recommended mitigation is the default configuration: ensure the OpnForm instance requires users to configure their own custom domain before enabling the Form Editor feature. This effectively disables the attack vector by default. Additionally, restrict high-privilege (admin) credentials to a minimal set of trusted users, and implement input validation and output encoding at the application level if custom domain configuration is not sufficient for your use case. Monitor the jhumanj/opnform GitHub repository or advisory channels for patch availability; apply the patch as soon as released, since the publicly available exploit code could be used more widely once patching is available.

CVE-2025-11437 vulnerability details – vuln.today

Back