What is the CVSS score of CVE-2026-45697?

CVE-2026-45697 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Which versions of Formie are affected by CVE-2026-45697?

Verbb Formie, a plugin for Craft CMS, contains a critical vulnerability (CVE-2026-45697) enabling unauthenticated attackers to execute arbitrary code and completely compromise affected websites.. A patch is available.

Formie CVE-2026-45697

CRITICAL

Code Injection (CWE-94)

2026-05-18 https://github.com/verbb/formie

GHSA-x7m9-mwc2-g6w2

RCE Code Injection

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 18:00 vuln.today

Analysis Generated

May 18, 2026 - 18:00 vuln.today

DescriptionNVD

Impact

Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).
Sites with public Formie forms that include at least one Hidden field with that configuration.
No CP login for the reported chain.

Patches

2.2.20, 3.1.24

Workarounds

Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible
Otherwise, upgrade to patched versions

AnalysisAI

Pre-authenticated server-side template injection in Verbb Formie (a forms plugin for Craft CMS) allows unauthenticated remote attackers to submit crafted values into Hidden fields configured with a Custom default value, which are then evaluated as Twig during submission handling. Successful exploitation can lead to arbitrary code execution and full compromise of the Craft site depending on template sandbox behavior. …

RemediationAI

Within 24 hours: Inventory all Craft CMS installations running Verbb Formie and document their current versions. Within 7 days: Apply the vendor-released patch from Verbb's security advisory to all affected instances and verify successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45697 vulnerability details – vuln.today

Back

Formie CVE-2026-45697

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code