CVE-2026-26188

Name of the Vulnerable Software and Affected Versions Solspace Freeform plugin for Craft CMS versions 5.0 through 5.14.6

Description A low-privilege authenticated user with form creation/editing permissions can inject arbitrary HTML and JavaScript code into the Craft Control Panel builder and integrations views. Form labels and integration metadata, controlled by the user, are rendered using dangerouslySetInnerHTML without proper sanitization, resulting in stored cross-site scripting (XSS). This allows for the execution of malicious scripts when any administrator views the builder or integration screens.

Recommendations Update to version 5.14.7 or later.