CVE-2026-45697
Unauthenticated Twig Code Execution in Formie Plugin
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| formie | craft_cms_plugin | to 2.2.20 (exc) |
| formie | craft_cms_plugin | to 3.1.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45697 is a critical vulnerability in the Formie plugin for Craft CMS that allows unauthenticated users to perform server-side template injection via Hidden fields.
Specifically, if a Hidden field is configured with a Default value set to Custom, attackers can submit crafted values that are evaluated as Twig code during form submission handling.
This means that malicious code can be executed on the server without any authentication, potentially compromising the entire Craft site depending on the template or sandbox behavior.
The vulnerability affects versions prior to 2.2.20 and 3.1.24 and has been fixed in those versions.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on the confidentiality, integrity, and availability of your Craft CMS site.
Because it allows unauthenticated server-side template injection, an attacker could execute arbitrary code on the server, leading to full site compromise.
- Unauthorized access to sensitive data.
- Modification or deletion of site content or data.
- Potential disruption or denial of service of the website.
Exploitation requires only public forms with at least one Hidden field using the Custom default value setting, and no login is needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your Craft CMS site is using the Formie plugin versions prior to 2.2.20 or 3.1.24.
Specifically, check if there are any public forms with Hidden fields configured with the Default value set to Custom, as these fields are vulnerable to crafted Twig code injection.
Since the vulnerability involves unauthenticated submission of crafted values into Hidden fields, monitoring HTTP POST requests to public Formie forms for suspicious payloads containing Twig syntax could help detect exploitation attempts.
Commands to assist detection might include:
- Using curl or similar tools to submit test payloads with Twig syntax to public forms and observing the response or behavior.
- Searching server logs for POST requests containing Twig delimiters such as {{ or {%.
- Checking the installed Formie plugin version via command line or CMS admin interface to confirm if it is below the fixed versions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Formie plugin to version 2.2.20 or 3.1.24 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, temporary workarounds include removing Hidden fields from public forms or changing their Default value setting away from Custom to prevent evaluation of Twig code.
Additionally, restricting access to public forms or implementing input validation and filtering on form submissions can reduce the risk of exploitation.