Formie: Pre-authenticated server-side template injection in Hidden fields_CVE-2026-45697

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.

Basic Information

ID CVE-2026-45697

Source GitHub_M

Published May 29, 2026 at 19:01

Affected Product

Vendor verbb

Product formie

Version < 2.2.20

Affected Versions verbb formie < 2.2.20
verbb formie >= 3.0.0-beta.1, < 3.1.24

CWE Classification

CWE-94 CWE-693 CWE-1336

References

{
    "lastseen": "",
    "description": "Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value \u2192 Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.",
    "published": "2026-05-29T19:01:49.220Z",
    "modified": "2026-05-29T19:01:49.220Z",
    "type": "cve",
    "title": "Formie: Pre-authenticated server-side template injection in Hidden fields",
    "source": "GitHub_M",
    "references": "https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2\nhttps://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3\nhttps://github.com/verbb/formie/releases/tag/2.2.20\nhttps://github.com/verbb/formie/releases/tag/3.1.24",
    "id": "CVE-2026-45697",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-693",
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "verbb formie < 2.2.20\nverbb formie >= 3.0.0-beta.1, < 3.1.24",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "formie",
    "version": "< 2.2.20",
    "vendor": "verbb",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}