GHSA-vwjj-2852-3765

GitHub Security Advisory

Cross-Site Scripting in forms

✓ GitHub Reviewed MODERATE Has CVE

Affected versions of `forms` do not properly escape HTML in generated forms, which may result in cross-site scripting.

## Recommendation

Update to version 1.3.0 or later.

npm forms

Affected versions: 0 (fixed in 1.3.0)

CVE-2017-16015

GHSA ID

GHSA-vwjj-2852-3765

Published

November 9, 2018 5:46 PM

Last Modified

September 7, 2023 6:28 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

forms

GitHub Reviewed

✓ Yes

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.