CVE-2024-35191

Name of the Vulnerable Software and Affected Versions Formie versions prior to 2.1.6

Description The issue allows users with access to a form's settings to include malicious Twig code into fields that support Twig, such as the Submission Title or the Success Message. This code will then be executed upon creating a submission or rendering the text. The severity is listed as low-medium due to requiring control panel access to edit a form's settings.

Recommendations For versions prior to 2.1.6, update to at least version 2.1.6 to resolve the issue. As a temporary workaround, consider restricting access to form settings to minimize the risk of exploitation.