CVE-2026-45697

Impact

• Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).
• Sites with public Formie forms that include at least one Hidden field with that configuration.
• No CP login for the reported chain.

Patches

• 2.2.20, 3.1.24

Workarounds

• Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible
• Otherwise, upgrade to patched versions