{“lastseen”:””,”description”:”Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value \u2192 Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template\/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.”,”published”:”2026-05-29T19:01:49.220Z”,”modified”:”2026-05-29T19:01:49.220Z”,”type”:”cve”,”title”:”Formie: Pre-authenticated server-side template injection in Hidden fields”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/verbb\/formie\/security\/advisories\/GHSA-x7m9-mwc2-g6w2\\nhttps:\/\/github.com\/verbb\/formie\/commit\/f690d5623163ce2a95da305238d6367575486ee3\\nhttps:\/\/github.com\/verbb\/formie\/releases\/tag\/2.2.20\\nhttps:\/\/github.com\/verbb\/formie\/releases\/tag\/3.1.24″,”id”:”CVE-2026-45697″,”bulletinFamily”:””,”cwe”:[“CWE-94″,”CWE-693″,”CWE-1336″],”cvelist”:null,”sourceData”:”verbb formie \\u003c 2.2.20\\nverbb formie \\u003e= 3.0.0-beta.1, \\u003c 3.1.24″,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”formie”,”version”:”\\u003c 2.2.20″,”vendor”:”verbb”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,35,12,13,7,11,5],"class_list":["post-58410","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n