VYPR
← All advisories
Critical severity9.8GHSA Advisory· Published May 18, 2026· Updated May 18, 2026

Formie: Pre-authenticated server-side template injection in Hidden fields

CVE-2026-45697

Description

### Impact - Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). - Sites with public Formie forms that include at least one Hidden field with that configuration. - No CP login for the reported chain.

### Patches - 2.2.20, 3.1.24

### Workarounds - Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible - Otherwise, upgrade to patched versions

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated users can inject Twig code via Hidden fields with custom defaults in Craft Formie, leading to server-side template injection.

Vulnerability

In unauthenticated users could submit crafted values into Hidden fields that have their Default value set to Custom. These values are evaluated as Twig during submission handling, leading to server-side template injection. This affects Formie versions prior to 2.2.20 and versions 3.0.0-beta.1 up to 3.1.23. [2]

Exploitation

An unauthenticated attacker needs a public Formie form containing at least one Hidden field with the Default value set to Custom. By submitting a malicious Twig payload in that field, the payload is executed by the server. No control panel login is required. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary Twig code on the server, potentially compromising the entire Craft CMS site. The severity depends on the Twig sandbox configuration but can lead to full site takeover, data exfiltration, or remote code execution. [2]

Mitigation

Upgrade to Formie 2.2.20 (for Craft 4) or 3.1.24 (for Craft 5) as soon as possible. If upgrading is not immediate, remove Hidden fields from public forms or change their Default value setting away from Custom. [2][3][4]

References
  1. CVE-2026-45697 - GitHub Advisory Database
  2. Release 3.1.24 · verbb/formie
  3. Release 2.2.20 · verbb/formie

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
f690d5623163

Fix an issue with Hidden fields and evaluating Twig

https://github.com/verbb/formieJosh CrawfordMay 10, 2026via ghsa
commit
1 file changed · +1 3
  • src/fields/formfields/Hidden.php+1 3 modified
    @@ -111,11 +111,9 @@ public function serializeValue(mixed $value, ?ElementInterface $element = null):
 
             // Check if there's no value been added on the front-end, and use the default value
             if ($value === '') {
-                $value = $this->defaultValue;
+                $value = Variables::getParsedValue($this->defaultValue, $element);
             }
 
-            $value = Variables::getParsedValue($value, $element);
-
             // Immediately update the value for the element, so integrations use the up-to-date value
             if ($element) {
                 $element->setFieldValue($this->handle, $value);

Vulnerability mechanics

Root cause

"Hidden field default values are evaluated as Twig templates without sanitization, allowing unauthenticated front-end users to inject arbitrary Twig code via crafted submissions."

Attack vector

An unauthenticated attacker submits a crafted value into a Hidden field that has its Default value type set to "Custom" on a public Formie form. During submission handling, the `serializeValue()` method passes the attacker-supplied value through `Variables::getParsedValue()`, which evaluates it as Twig markup [patch_id=418988]. The attacker does not need a control panel login; only a publicly accessible form with at least one Hidden field configured with a Custom default value is required. The Twig evaluation occurs server-side, so the payload is executed in the context of the Craft template/sandbox environment, potentially leading to full site compromise.

Affected code

The vulnerable code resides in `src/fields/formfields/Hidden.php` within the `serializeValue()` method. The method unconditionally passes the field value (which may be attacker-controlled) through `Variables::getParsedValue()`, causing Twig evaluation of arbitrary input [patch_id=418988].

What the fix does

The patch moves the `Variables::getParsedValue()` call so that it is only applied to the default value when no user-supplied value exists (i.e., when `$value === ''`). Previously, the code first assigned the default value, then unconditionally called `Variables::getParsedValue()` on whatever value was present — including attacker-supplied input. By guarding the Twig evaluation behind the empty-value check and removing the unconditional second call, the patch ensures that only the pre-configured default value is ever parsed as Twig, while user-submitted values are stored as plain text [patch_id=418988].

Preconditions

  • configA public Formie form must include at least one Hidden field with its Default value type set to 'Custom'.
  • networkThe attacker must be able to submit HTTP requests to the public form endpoint.
  • authNo authentication is required; the attacker can be unauthenticated.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.