CVE-2026-47266 is a HIGH severity (CVSS 8.7) authorization bypass in the Formie plugin for Craft CMS. Unauthenticated attackers can modify existing form submissions by submitting a known or guessed submission ID to the `formie/submissions/save-submission` endpoint. The vulnerability affects versions prior to 2.2.21 (v2.x branch) and 3.1.26 (v3.x branch). The issue was disclosed on 2026-05-29 with fixes re [truncated]
Formie, a Craft CMS plugin for form creation, contains a critical server-side template injection (SSTI) vulnerability in versions prior to 2.2.20 and 3.1.24. The flaw exists in Hidden fields configured with Default value → Custom, where unauthenticated user input is evaluated as Twig template code during form submission handling. This allows remote attackers to execute arbitrary code within the Craft CMS [truncated]
