GHSA-x7m9-mwc2-g6w2

Source

https://github.com/advisories/GHSA-x7m9-mwc2-g6w2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x7m9-mwc2-g6w2/GHSA-x7m9-mwc2-g6w2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x7m9-mwc2-g6w2

Aliases

CVE-2026-45697

Published

2026-05-18T17:23:39Z

Modified

2026-05-18T17:32:56.038034Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Formie: Pre-authenticated server-side template injection in Hidden fields

Details

Impact

Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior).
Sites with public Formie forms that include at least one Hidden field with that configuration.
No CP login for the reported chain.

Patches

2.2.20, 3.1.24

Workarounds

Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible
Otherwise, upgrade to patched versions

Database specific

{
    "cwe_ids": [
        "CWE-1336",
        "CWE-693",
        "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:23:39Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
}

References

Affected packages

Packagist / verbb/formie

Package

Name: verbb/formie
Purl: pkg:composer/verbb/formie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0-beta.1

Fixed

3.1.24

Affected versions

3.*

3.0.0-beta.1

3.0.0-beta.2

3.0.0-beta.3

3.0.0-beta.4

3.0.0-beta.5

3.0.0-beta.6

3.0.0-beta.7

3.0.0-beta.8

3.0.0-beta.9

3.0.0-beta.10

3.0.0-beta.11

3.0.0-beta.12

3.0.0-beta.13

3.0.0-beta.14

3.0.0-beta.15

3.0.0-beta.16

3.0.0-beta.17

3.0.0-beta.18

3.0.0-beta.19

3.0.0-beta.20

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23

3.0.24

3.0.25

3.0.26

3.0.27

3.0.28

3.0.29

3.0.30

3.0.31

3.0.32

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.1.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x7m9-mwc2-g6w2/GHSA-x7m9-mwc2-g6w2.json"

Packagist / verbb/formie

Package

Name: verbb/formie
Purl: pkg:composer/verbb/formie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.20

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.9.1

1.1.0

1.1.1

1.1.1.1

1.1.2

1.1.3

1.1.4

1.1.4.1

1.1.5

1.1.6

1.1.7

1.1.8

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.7.1

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.22

1.2.23

1.2.23.1

1.2.24

1.2.25

1.2.26

1.2.27

1.2.28

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.16.1

1.3.17

1.3.18

1.3.19

1.3.19.1

1.3.20

1.3.21

1.3.22

1.3.23

1.3.24

1.3.25

1.3.26

1.3.27

1.4.0

1.4.0.1

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.4.21.1

1.4.22

1.4.23

1.4.24

1.4.25

1.4.26

1.4.27

1.4.28

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.5.13

1.5.13.1

1.5.13.2

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.5.19

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.6.32

1.6.33

1.6.34

1.6.35

1.6.36

1.6.36.1

1.6.37

1.6.38

1.6.39

1.6.40

1.6.41

1.6.42

1.6.43

1.6.44

1.6.45

1.6.46

1.6.47

2.*

2.0.0-beta.1

2.0.0-beta.2

2.0.0-beta.3

2.0.0-beta.4

2.0.0-beta.5

2.0.0-beta.6

2.0.0-beta.7

2.0.0-beta.8

2.0.0-beta.9

2.0.0-beta.10

2.0.0-beta.11

2.0.0-beta.12

2.0.0-beta.13

2.0.0-beta.14

2.0.0-beta.15

2.0.0-beta.16

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.23.1

2.0.24

2.0.25

2.0.25.1

2.0.26

2.0.27

2.0.27.1

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.34.1

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.0.42

2.0.43

2.0.44

2.0.44.1

2.0.45

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.20

2.1.21

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.27

2.1.28

2.1.29

2.1.30

2.1.31

2.1.32

2.1.33

2.1.34

2.1.35

2.1.36

2.1.37

2.1.38

2.1.39

2.1.40

2.1.41

2.1.42

2.1.43

2.1.44

2.1.45

2.1.46

2.1.47

2.1.48

2.1.49

2.1.50

2.1.51

2.1.52

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x7m9-mwc2-g6w2/GHSA-x7m9-mwc2-g6w2.json"