CVE-2026-45697

CRITICAL 9.8

Formie: Pre-authenticated server-side template injection in Hidden fields

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.

CWE	CWE-94 CWE-693 CWE-1336
Vendor	verbb
Product	formie
Published	May 29, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for verbb formie

Be the first to know when new critical vulnerabilities affecting verbb formie are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

verbb / formie

< 2.2.20 >= 3.0.0-beta.1, < 3.1.24

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2 github.com: https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3 github.com: https://github.com/verbb/formie/releases/tag/2.2.20 github.com: https://github.com/verbb/formie/releases/tag/3.1.24