CVE-2026-47266 verbb CVE debrief

Who should care

Organizations running Craft CMS with the Formie plugin for form management, particularly those handling sensitive submission data or compliance-regulated information. Security teams should prioritize patching due to the unauthenticated attack vector and data integrity impact.

Technical summary

The Formie plugin's `formie/submissions/save-submission` endpoint fails to properly validate ownership or session state when processing submission updates. By providing a valid submission ID, unauthenticated attackers can overwrite existing submission data. The vulnerability stems from missing authorization checks that would verify the submitter's right to modify the targeted submission.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Formie to version 2.2.21 or later (v2.x) or 3.1.26 or later (v3.x)
• Review form submission logs for unauthorized modifications to existing submissions
• Implement additional access controls or rate limiting on form submission endpoints if immediate patching is not feasible
• Audit existing submissions for data integrity, particularly those with sequential or predictable IDs

Evidence notes

The vulnerability description and fix versions are sourced from the official CVE record and GitHub Security Advisory. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N) confirms network-accessible, unauthenticated attack with high integrity impact. CWE-639 (Authorization Bypass Through User-Controlled Key) is the assigned weakness.

Official resources