EXECUTIVE SUMMARY:
CVE-2026-45697 with a CVSS score of 9.8 is a pre-authenticated server-side template injection vulnerability in the Formie package. An attacker can exploit this issue by submitting crafted values into Hidden fields with a Default value set to Custom, which are evaluated as Twig during submission handling, potentially leading to a serious compromise of the Craft site. This can occur through publicly accessible Formie forms that include at least one Hidden field configured in this manner. As a result, an attacker gains the capability to inject malicious code, compromising the security and integrity of the affected site. The business impact and consequences of exploitation include unauthorized access, data tampering, and potential site compromise, highlighting the need for prompt mitigation or upgrade to patched versions.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45697 with a CVSS score of 9.8 is a pre-authenticated server-side template injection vulnerability in the Formie package. An attacker can exploit this issue by submitting crafted values into Hidden fields with a Default value set to Custom, which are evaluated as Twig during submission handling, potentially leading to a serious compromise of the Craft site. This can occur through publicly accessible Formie forms that include at least one Hidden field configured in this manner. As a result, an attacker gains the capability to inject malicious code, compromising the security and integrity of the affected site. The business impact and consequences of exploitation include unauthorized access, data tampering, and potential site compromise, highlighting the need for prompt mitigation or upgrade to patched versions.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update verbb/formie to version 2.2.21 or 3.1.26 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-x7m9-mwc2-g6w2