A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Matomo (Piwik) users are encouraged to update to the latest version of Matomo. This issue exists in Matomo versions 0.1.6 through 0.5.5.

In Matomo (Piwik) 0.6, the form_url parameter has been removed.


  • CVE-2010-1453 – Login Form XSS

Any questions?

Many answers and more information about Matomo you can find here:

We are social

Follow us: