Just released: versions 1.7.19 and 1.8.1 of Products.PloneFormGen.
These releases fix an XSS vulnerability that could allow a user with the rights to add or edit PFG forms to elevate permissions via an XSS attack on a more privileged user. This vulnerability is only a problem if you allow untrusted users to add or edit PFG forms. It is not exploitable by users filling in PFG forms.
Version 1.7.19 is intended for use with Plone 4.1, 4.2 and 4.3.
Version 1.8.1 is intended for use with Plone 5.0.x.