CVE-2025-55797: 
C# vulnerability analysis and mitigation

An improper access control vulnerability exists in FormCms version 0.5.4 in the /api/schemas/history/[schemaId] endpoint. The vulnerability was discovered on September 30, 2025, and allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed (NVD).

The vulnerability is classified as an improper access control issue (CWE-284) with a CVSS v3.1 base score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability exists in the History function within the server/FormCMS/Cms/Services/SchemaService.cs file, which previously lacked necessary security controls (Miggo).

The vulnerability allows unauthorized access to historical schema data, potentially exposing sensitive information. The impact is characterized by low confidentiality and availability impacts, with no impact on integrity, as indicated by the CVSS metrics (NVD).

The vulnerability has been patched in FormCms version 0.5.5. The fix introduces a SchemaPostGetHistory hook that implements proper access control checks before returning schema history data. Organizations should upgrade to version 0.5.5 or later to address this security issue (Miggo).