Forms

This hub aggregates every CVE we track for Forms, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 14 most recently published vulnerabilities affecting Forms.

• CVE-2026-45543Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share5.3Jun 1, 2026
• CVE-2025-68924In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.7.5Jan 16, 2026
• CVE-2025-24775WordPress Forms <= 2.9.0 - Arbitrary File Upload Vulnerability9.9Aug 14, 2025
• CVE-2024-51791WordPress Forms plugin <= 2.8.0 - Arbitrary File Upload vulnerability10.0Nov 11, 2024
• CVE-2021-37334Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability o...9.8Aug 25, 2021
• CVE-2021-24505Forms < 1.12.3 - Authenticated Stored Cross-Site Scripting (XSS)5.4Aug 9, 2021
• CVE-2021-23388Regular Expression Denial of Service (ReDoS)5.3May 31, 2021
• CVE-2019-2886Vulnerability in the Oracle Forms product of Oracle Fusion Middleware (component: Services). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenti...6.1Oct 16, 2019
• CVE-2017-16015Forms is a library for easily creating HTML forms. Versions before 1.3.0 did not have proper html escaping. This means that if the application did not sanitize html on behalf of forms, use of forms...6.1Jun 4, 2018
• CVE-2010-3260oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component in the XForms service in Orbeon Forms before 3.9 does not properly restrict DTDs in Ajax requests, which allows remote ...6.4Apr 27, 2011
• CVE-2005-3207The forms servlet (f90servlet) in Oracle Forms 4.5.10.22 allows remote attackers to cause a denial of service (TNS listener stop) via a userid parameter that contains a STOP command.5.0Oct 14, 2005
• CVE-2005-2372Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malic...7.2Jul 26, 2005
• CVE-2005-2294Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of records are retrieved by an Oracle form, stores a copy of the database tables in a world-readable temporary file, which allows loca...2.1Jul 17, 2005
• CVE-2005-1178SQL injection vulnerability in Oracle Forms 10g allows remote attackers to execute arbitrary SQL commands via the Query/Where feature.7.5Apr 19, 2005