top of page
perceptive_background_267k.jpg

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default …

Published:

28 May 2026 at 22:00:00

Alert date:

29 May 2026 at 21:09:42

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

The Formie plugin for Craft CMS contains a critical vulnerability where unauthenticated users can inject malicious Twig code through hidden form fields with custom default values. This server-side template injection vulnerability affects versions prior to 2.2.20 and 3.1.24 and can lead to complete compromise of the Craft CMS site. The vulnerability occurs during form submission handling when crafted values in hidden fields are evaluated as Twig templates. The impact depends on the specific template and sandbox configuration but can result in serious security compromise. Patches are available in versions 2.2.20 and 3.1.24.

Technical details

Mitigation steps:

Affected products:

Formie
Craft CMS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-45697
https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3
https://github.com/verbb/formie/releases/tag/2.2.20
https://github.com/verbb/formie/releases/tag/3.1.24
https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page