PT-2026-41792 · Git+2 · Formie+1
Pwnsauc3
·
Published
2026-05-18
·
Updated
2026-06-19
·
CVE-2026-45697
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Formie versions prior to 2.2.20
Formie versions prior to 3.1.24
Description
Unauthenticated users can submit crafted values into Hidden fields configured with a Custom default value. These values are evaluated as Twig during submission handling, which may lead to a serious compromise of the Craft site depending on the template or sandbox behavior.
Recommendations
Update to version 2.2.20.
Update to version 3.1.24.
As a temporary workaround, remove Hidden fields from public forms or change the Hidden default value from Custom.
Exploit
Fix
RCE
Protection Mechanism Failure
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Formie
Verbb/Formie