VYPR

Formie

by Verbb

Source repositories

CVEs (5)

  • CVE-2026-45697CriMay 29, 2026
    risk 0.57cvss 9.8epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the…

  • CVE-2026-47266HigMay 29, 2026
    risk 0.50cvss epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

  • CVE-2025-32427MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.1.44, when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking…

  • CVE-2025-32426MedApr 11, 2025
    risk 0.30cvss 4.6epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to version 2.1.44, it is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered…

  • CVE-2024-35191MedMay 20, 2024
    risk 0.22cvss 4.4epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a…