PatchSiren cyber security CVE debrief
CVE-2026-45697 verbb CVE debrief
Formie, a Craft CMS plugin for form creation, contains a critical server-side template injection (SSTI) vulnerability in versions prior to 2.2.20 and 3.1.24. The flaw exists in Hidden fields configured with Default value → Custom, where unauthenticated user input is evaluated as Twig template code during form submission handling. This allows remote attackers to execute arbitrary code within the Craft CMS environment, potentially leading to complete site compromise. The vulnerability is exploitable without authentication and requires no user interaction, making it suitable for automated attacks. The CVSS 3.1 score of 9.8 reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability. The vendor (Verbb) has released patched versions and published a security advisory. Organizations using affected Formie versions should prioritize upgrading to 2.2.20 or 3.1.24 immediately, as no workarounds are documented.
- Vendor
- verbb
- Product
- formie
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Craft CMS with the Formie plugin installed, particularly those exposing forms with Hidden fields to unauthenticated users. Web application security teams managing PHP-based CMS platforms. Developers and site administrators using Formie for form management who have not yet applied the May 2026 security updates.
Technical summary
The Formie plugin for Craft CMS fails to sanitize user input in Hidden fields with custom default values, passing submitted data directly to Twig template evaluation during form processing. This server-side template injection vulnerability allows unauthenticated attackers to execute arbitrary Twig code, which in Craft CMS context enables PHP code execution and full application compromise. The vulnerability affects both major version branches (2.x and 3.x) and was introduced by insufficient input validation on the Default value → Custom field configuration option.
Defensive priority
critical
Recommended defensive actions
- Upgrade Formie to version 2.2.20 (for Craft 4.x) or 3.1.24 (for Craft 5.x) immediately
- Review form configurations for any Hidden fields using Default value → Custom and verify no unauthorized template modifications
- Audit Craft CMS logs for suspicious Twig template execution or unexpected form submissions
- If immediate patching is not possible, consider disabling form submissions or restricting access to Formie-managed forms
- Review and rotate any potentially exposed credentials or API keys accessible to the Craft CMS application
Evidence notes
Vulnerability description and affected versions derived from CVE record and GitHub Security Advisory. CVSS vector and score from NVD source data. Patch commits and release tags confirmed via GitHub references. CWE classifications (CWE-94, CWE-693, CWE-1336) from official source. No KEV listing present.
Official resources
2026-05-29