CVE-2026-3359

Name of the Vulnerable Software and Affected Versions The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder versions prior to 1.15.43

Description Insufficient escaping of user-supplied parameters and a lack of proper preparation in SQL queries allow unauthenticated attackers to perform SQL Injection. By appending additional SQL queries via the inputs parameter, an attacker can extract sensitive information from the database.

Recommendations Update to a version later than 1.15.42. As a temporary workaround, restrict access to or avoid using the inputs parameter until the update is applied.