PT-2026-41792 · Git+2 · Formie+1

Pwnsauc3

·

Published

2026-05-18

·

Updated

2026-06-19

·

CVE-2026-45697

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Formie versions prior to 2.2.20 Formie versions prior to 3.1.24
Description Unauthenticated users can submit crafted values into Hidden fields configured with a Custom default value. These values are evaluated as Twig during submission handling, which may lead to a serious compromise of the Craft site depending on the template or sandbox behavior.
Recommendations Update to version 2.2.20. Update to version 3.1.24. As a temporary workaround, remove Hidden fields from public forms or change the Hidden default value from Custom.

Exploit

Fix

RCE

Protection Mechanism Failure

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45697
GHSA-X7M9-MWC2-G6W2

Affected Products

Formie
Verbb/Formie