{"id":"CVE-2025-26841","details":"Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload.","modified":"2026-04-10T05:23:41.054050Z","published":"2025-05-12T15:15:59.313Z","references":[{"type":"WEB","url":"https://everestforms.net"},{"type":"ADVISORY","url":"https://gist.github.com/knilkantha/71458e9a787157653d5603fe6880bc05"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wpeverest/everest-forms","events":[{"introduced":"0"},{"fixed":"c8ac8dc03fffe8bc8eb3dfb1060342ff8e8c1944"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.0.9"}]}}],"versions":["1.0.0","1.0.1","1.0.2","1.1.0","1.1.0-rc.1","1.1.3","1.1.4","1.2.0","1.2.0-rc.1","1.3.0","1.3.2","1.3.4","1.4.0","1.4.0-beta","1.4.0-beta2","1.4.0-beta3","1.4.0-beta4","1.4.0-beta5","1.4.0-beta6","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.8","1.4.9","1.5.0","1.5.1","1.5.10","1.5.2","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.6.1","1.6.7","1.7.0","1.7.0.1","1.7.0.2","1.7.0.3","1.7.1","1.7.2","1.7.2.1","1.7.2.2","1.7.3","1.7.4","1.7.5","1.7.5.1","1.7.5.2","1.7.6","1.7.7","1.7.7.1","1.7.7.2","1.7.8","1.7.9","1.8.0","1.8.0.1","1.8.1","1.8.2","1.8.2.1","1.8.2.2","1.8.2.3","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.9.0","1.9.0.1","1.9.1","1.9.2","1.9.3","1.9.4","1.9.4.1","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","2.0.0","2.0.0.1","2.0.1","2.0.3","2.0.3.1","2.0.5","2.0.6","2.0.7","2.0.8","2.0.8.1","2.0.9","3.0.0","3.0.0.1","3.0.1","3.0.2","3.0.3","3.0.3.1","3.0.4","3.0.4.1","3.0.4.2","3.0.5","3.0.5.1","3.0.5.2","3.0.6","v1.4.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-26841.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}