{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T23:06:57.938","vulnerabilities":[{"cve":{"id":"CVE-2026-28803","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T16:16:40.630","lastModified":"2026-03-17T19:19:19.560","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Open Forms allows users create and publish smart forms. Prior to 3.3.13 and 3.4.5, to be able to cosign, the cosigner receives an e-mail with instructions or a deep-link to start the cosign flow. The submission reference is communicated so that the user can retrieve the submission to be cosigned. Attackers can guess a code or modify the received code to look up arbitrary submissions, after logging in (with DigiD/eHerkenning/... depending on form configuration). This vulnerability is fixed in 3.3.13 and 3.4.5."},{"lang":"es","value":"Open Forms permite a los usuarios crear y publicar formularios inteligentes. Antes de 3.3.13 y 3.4.5, para poder cosignar, el cosignatario recibe un correo electrónico con instrucciones o un enlace profundo para iniciar el flujo de cosignatura. La referencia de la presentación se comunica para que el usuario pueda recuperar la presentación a ser cosignada. Los atacantes pueden adivinar un código o modificar el código recibido para buscar presentaciones arbitrarias, después de iniciar sesión (con DigiD/eHerkenning/... dependiendo de la configuración del formulario). Esta vulnerabilidad está corregida en 3.3.13 y 3.4.5."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*","versionEndExcluding":"3.3.13","matchCriteriaId":"19C86DE6-DC79-4B71-89AD-3A43741BE51D"},{"vulnerable":true,"criteria":"cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.0","versionEndExcluding":"3.4.5","matchCriteriaId":"DFE1882C-1659-4E5A-B21A-D08B09DA32B8"}]}]}],"references":[{"url":"https://github.com/open-formulieren/open-forms/security/advisories/GHSA-2g49-rfm6-5qj5","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}