Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.
AnalysisAI
Unauthorized submission modification in Formie (Craft CMS plugin) versions prior to 2.2.21 and 3.1.26 allows remote unauthenticated attackers to overwrite existing form submissions by POSTing a known or guessed submission ID to the formie/submissions/save-submission endpoint. The flaw is an authorization bypass (CWE-639) that compromises integrity of stored submission data without requiring credentials. No public exploit identified at time of analysis, though the upstream fix and advisory are publicly disclosed on GitHub.
Technical ContextAI
Formie is a forms-building plugin for Craft CMS developed by Verbb (CPE cpe:2.3:a:verbb:formie). The vulnerable code path is the save-submission controller action, which accepted a submission ID from the request body and updated the corresponding record without verifying that the requester owned, created, or was authorized to modify that submission - a textbook CWE-639 Authorization Bypass Through User-Controlled Key (IDOR). Because submission IDs are typically sequential integers, an attacker can enumerate or guess valid IDs trivially. The upstream patch introduces a new submissionEditToken mechanism (per the 2.2.21 release notes) that binds edit requests to a cryptographically derived token rather than relying solely on the predictable submission ID.
RemediationAI
Vendor-released patches are available: upgrade to Formie 2.2.21 for the 2.x branch or 3.1.26 for the 3.x branch, both published on the verbb/formie GitHub releases page (https://github.com/verbb/formie/releases/tag/2.2.21 and https://github.com/verbb/formie/releases/tag/3.1.26), with full advisory context at https://github.com/verbb/formie/security/advisories/GHSA-pgxq-p76c-x9cg. The 2.2.21 release adds a submissionEditToken to tighten authorization on edit requests, which is the structural fix and cannot be reliably replicated via configuration alone. As a temporary compensating control until patching, restrict access to the /formie/submissions/save-submission route at the web server or reverse proxy layer (for example via nginx or Apache location rules) to authenticated sessions or trusted IP ranges - note this will break legitimate end-user submission editing flows where they exist, so it is suitable only for sites that do not rely on user-facing submission edits. Sites should also audit recent submission records for unexpected modifications, since exploitation leaves no authentication trail.
Formie is a Craft CMS plugin for creating forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploi
Formie is a Craft CMS plugin for creating forms. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploi
Formie is a Craft CMS plugin for creating forms. Rated medium severity (CVSS 4.4), this vulnerability is low attack comp
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33422
GHSA-pgxq-p76c-x9cg