CVE-2026-45697
CRITICAL
9,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Description
AI Translation Available
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.
94
Improper Control of Generation of Code ('Code Injection')
DraftCommon Consequences
Security Scopes Affected:
Access Control
Integrity
Confidentiality
Availability
Non-Repudiation
Potential Impacts:
Bypass Protection Mechanism
Gain Privileges Or Assume Identity
Execute Unauthorized Code Or Commands
Hide Activities
Applicable Platforms
Languages:
Interpreted
Technologies:
AI/ML
693
Protection Mechanism Failure
DraftCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
Technologies:
Not Technology-Specific, ICS/OT
1336
Improper Neutralization of Special Elements Used in a Template Engine
IncompleteCommon Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Execute Unauthorized Code Or Commands
Applicable Platforms
Languages:
Java, PHP, Python, JavaScript, Interpreted
Technologies:
Not Technology-Specific, AI/ML, Client Server
https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3
https://github.com/verbb/formie/releases/tag/2.2.20
https://github.com/verbb/formie/releases/tag/3.1.24
https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2