VYPR
← All advisories
High severity8.7NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-47266

CVE-2026-47266

Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated users can overwrite existing form submissions in Formie for Craft CMS by guessing a submission ID.

Vulnerability

The Formie plugin for Craft CMS prior to versions 2.2.21 and 3.1.26 contains an authentication bypass vulnerability in the formie/submissions/save-submission endpoint. Unauthenticated users can modify existing submissions by posting a known or guessed submission ID to this endpoint. The vulnerability affects all versions before the patched releases. [1][2][3]

Exploitation

An attacker requires no authentication or user interaction. They can send a POST request to formie/submissions/save-submission with a valid submission ID (obtained through guessing, enumeration, or other means) and arbitrary field data. The attacker can iterate through sequential IDs to find valid submissions. [3]

Impact

Successful exploitation allows an unauthenticated attacker to overwrite any existing submission's data. This compromises data integrity, potentially leading to data corruption, injection of malicious content, or unauthorized modification of form responses. The attacker gains the ability to alter submissions without any privileges. [3]

Mitigation

The vulnerability is fixed in versions 2.2.21 and 3.1.26, released on 2026-05-29. Users should upgrade immediately. As a workaround, block unauthenticated access to the endpoint actions/formie/submissions/save-submission or disable front-end submission editing until patched. [1][2][3]

References
  1. Release 2.2.21 · verbb/formie
  2. Release 3.1.26 · verbb/formie
  3. Unauthenticated front-end submission editing can overwrite existing submissions

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

5

News mentions

0

No linked articles in our index yet.