Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
- Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).
- Sites with public Formie forms that include at least one Hidden field with that configuration.
- No CP login for the reported chain.
Patches
Workarounds
- Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible
- Otherwise, upgrade to patched versions
AnalysisAI
Pre-authenticated server-side template injection in Verbb Formie (a forms plugin for Craft CMS) allows unauthenticated remote attackers to submit crafted values into Hidden fields configured with a Custom default value, which are then evaluated as Twig during submission handling. Successful exploitation can lead to arbitrary code execution and full compromise of the Craft site depending on template sandbox behavior. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-x7m9-mwc2-g6w2 and patch commit are publicly disclosed.
Technical ContextAI
Formie is a forms plugin for Craft CMS distributed via Composer as verbb/formie. The vulnerability resides in src/fields/formfields/Hidden.php where, prior to the fix, user-submitted values for Hidden fields were passed through Variables::getParsedValue(), which evaluates strings as Twig templates against Craft's template engine. This maps to CWE-94 (Improper Control of Generation of Code, i.e. code injection) and is a classic server-side template injection (SSTI) pattern: untrusted input flows into a template renderer that executes embedded expressions. The patched code only parses the field's configured defaultValue (a trusted, admin-set string) rather than the attacker-controlled submitted value, eliminating the injection sink.
RemediationAI
Vendor-released patches are available: upgrade verbb/formie to 2.2.20 (https://github.com/verbb/formie/releases/tag/2.2.20) on the 2.x branch or 3.1.24 (https://github.com/verbb/formie/releases/tag/3.1.24) on the 3.x branch, which change Hidden field serialization (src/fields/formfields/Hidden.php) to parse only the trusted configured default value rather than the submitted value (commit f690d5623163ce2a95da305238d6367575486ee3). If immediate upgrade is not feasible, the vendor-recommended workarounds are to temporarily remove Hidden fields from any public-facing forms, or to switch the Default value source for those Hidden fields away from Custom; the trade-off is loss of any dynamic default-value behavior those forms relied on, but it eliminates the Twig evaluation sink until patching. Full advisory: https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33421
GHSA-x7m9-mwc2-g6w2