Skip to main content

Formie CVE-2026-45697

| EUVDEUVD-2026-33421 CRITICAL
Code Injection (CWE-94)
2026-05-18 https://github.com/verbb/formie GHSA-x7m9-mwc2-g6w2
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:00 vuln.today
Analysis Generated
May 18, 2026 - 18:00 vuln.today

DescriptionGitHub Advisory

Impact

  • Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).
  • Sites with public Formie forms that include at least one Hidden field with that configuration.
  • No CP login for the reported chain.

Patches

Workarounds

  • Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible
  • Otherwise, upgrade to patched versions

AnalysisAI

Pre-authenticated server-side template injection in Verbb Formie (a forms plugin for Craft CMS) allows unauthenticated remote attackers to submit crafted values into Hidden fields configured with a Custom default value, which are then evaluated as Twig during submission handling. Successful exploitation can lead to arbitrary code execution and full compromise of the Craft site depending on template sandbox behavior. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-x7m9-mwc2-g6w2 and patch commit are publicly disclosed.

Technical ContextAI

Formie is a forms plugin for Craft CMS distributed via Composer as verbb/formie. The vulnerability resides in src/fields/formfields/Hidden.php where, prior to the fix, user-submitted values for Hidden fields were passed through Variables::getParsedValue(), which evaluates strings as Twig templates against Craft's template engine. This maps to CWE-94 (Improper Control of Generation of Code, i.e. code injection) and is a classic server-side template injection (SSTI) pattern: untrusted input flows into a template renderer that executes embedded expressions. The patched code only parses the field's configured defaultValue (a trusted, admin-set string) rather than the attacker-controlled submitted value, eliminating the injection sink.

RemediationAI

Vendor-released patches are available: upgrade verbb/formie to 2.2.20 (https://github.com/verbb/formie/releases/tag/2.2.20) on the 2.x branch or 3.1.24 (https://github.com/verbb/formie/releases/tag/3.1.24) on the 3.x branch, which change Hidden field serialization (src/fields/formfields/Hidden.php) to parse only the trusted configured default value rather than the submitted value (commit f690d5623163ce2a95da305238d6367575486ee3). If immediate upgrade is not feasible, the vendor-recommended workarounds are to temporarily remove Hidden fields from any public-facing forms, or to switch the Default value source for those Hidden fields away from Custom; the trade-off is loss of any dynamic default-value behavior those forms relied on, but it eliminates the Twig evaluation sink until patching. Full advisory: https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2.

Share

CVE-2026-45697 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy