VYPR
Critical severity9.8GHSA Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45697

CVE-2026-45697

Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
verbb/formiePackagist
>= 3.0.0-beta.1, < 3.1.243.1.24
verbb/formiePackagist
< 2.2.202.2.20

Affected products

1

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.