Skip to main content

Formie CVE-2026-52889

CRITICAL
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-07-06 https://github.com/verbb/formie GHSA-565m-g33j-jq96
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated, network-reachable SSTI triggered by simply rendering the form (AV:N/PR:N/UI:N); AC:L since exploitation is reliable once the request-derived Hidden field exists, with full CIA impact from Twig-based RCE.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 17:15 vuln.today

DescriptionGitHub Advisory

Summary

Formie Hidden fields could evaluate request-derived values as Twig during front-end form rendering.

When a Hidden field used a dynamic default value such as HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value, the value was copied from the incoming request and later passed to Craft’s Twig rendering layer. This allowed an unauthenticated attacker to provide Twig syntax in request-controlled input and have it evaluated server-side when the form was rendered.

Affected Versions

verbb/formie for Craft 5:

  • Affected: >= 3.0.0-beta.1, <= 3.1.26
  • Patched: 3.1.27

Impact

An unauthenticated attacker could trigger server-side template evaluation by visiting a public form containing a Hidden field configured with a request-derived default value.

Because Craft’s normal Twig environment exposes application objects, this may lead to disclosure of sensitive information, modification of application state, or remote code execution depending on the site configuration and available Twig capabilities.

Technical Details

The issue exists in the Hidden field front-end render path. Request-derived Hidden field defaults were assigned to the field’s defaultValue, then rendered via Twig in Hidden::getFrontEndInputOptions().

The fix ensures Twig rendering is only performed for the custom default option, where the template source is admin-authored. Request-derived default options are now treated as plain strings.

Patches

Update to Formie 3.1.27 or later.

Workarounds

Until patched, avoid using request-derived Hidden field defaults on public forms, including:

  • HTTP User Agent
  • HTTP Refer URL
  • Current URL
  • Current URL without Query String
  • Query Parameter
  • Cookie Value

Alternatively, remove affected Hidden fields from public forms until the update is applied.

Credit

Name: Yanchon918s Email: [ao9s@ao9s.net](mailto:ao9s@ao9s.net)

AnalysisAI

Server-side template injection in Formie, a forms plugin for Craft CMS 5 (verbb/formie 3.0.0-beta.1 through 3.1.26), allows unauthenticated attackers to inject Twig syntax through request-controlled inputs that Hidden fields use as dynamic default values. When a public form contains a Hidden field seeded from the User Agent, Referer, Current URL, a query parameter, or a cookie, the attacker-supplied value reaches Craft's Twig rendering layer and is evaluated server-side, potentially yielding information disclosure, application-state modification, or remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate public Formie form with dynamic Hidden field
Delivery
Craft Twig payload in User Agent/Referer/query/cookie
Exploit
Request page to trigger Twig render
Execution
Server-side template evaluation in Craft
Impact
Disclose secrets or execute code

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Craft CMS site to publicly render a Formie form (verbb/formie 3.0.0-beta.1-3.1.26) that contains a Hidden field configured with one of the request-derived dynamic default value types: HTTP User Agent, HTTP Referer URL, Current URL, Current URL without Query String, Query Parameter, or Cookie Value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8) describes network-reachable, unauthenticated, low-complexity exploitation with full CIA impact - consistent with unauthenticated SSTI-to-RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a public Craft CMS site running Formie with a contact or signup form whose Hidden field captures, for example, the Referer or a query parameter as its default. The attacker requests the form page with a crafted Twig payload placed in that request element (e.g., the Referer header or ?param= value); when Formie renders the form, Craft's Twig engine evaluates the payload server-side, letting the attacker read application secrets or, depending on exposed Twig capabilities and site configuration, execute code. …
Remediation Vendor-released patch: update verbb/formie to 3.1.27 or later (composer require verbb/formie:^3.1.27 then run migrations), per the advisory at https://github.com/verbb/formie/security/advisories/GHSA-565m-g33j-jq96. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Craft CMS 5 deployments running Formie versions 3.0.0-beta.1-3.1.26 and disable public form access or restrict to authenticated users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Ssti

View all
CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2024-6386 CRITICAL POC
9.9 Aug 21

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor

CVE-2024-23692 CRITICAL POC
9.8 May 31

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. Rated c

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2024-32651 CRITICAL POC
10.0 Apr 26

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification servic

CVE-2024-4040 CRITICAL POC
10.0 Apr 22

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms all

CVE-2024-24724 CRITICAL POC
9.8 Apr 03

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Re

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2025-1040 HIGH POC
8.8 Mar 20

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C

CVE-2023-6709 HIGH POC
8.8 Dec 12

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2022-0896 HIGH POC
8.8 Mar 09

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior t

CVE-2024-54954 HIGH POC
8.0 Feb 10

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate

Share

CVE-2026-52889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy