CVE-2026-45697
Deferred Deferred - Pending Action
Unauthenticated Twig Code Execution in Formie Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value β†’ Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45697
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
formie craft_cms_plugin to 2.2.20 (exc)
formie craft_cms_plugin to 3.1.24 (exc)
verbb formie to 3.1.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to execute server-side template injection via Hidden fields in the Formie plugin, potentially leading to severe compromise of the Craft CMS site, including impacts on confidentiality, integrity, and availability.

Such a compromise could result in unauthorized access to sensitive data or disruption of services, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal data and system integrity.

Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to potential data breaches or loss of data integrity.

Executive Summary

CVE-2026-45697 is a critical vulnerability in the Formie plugin for Craft CMS that allows unauthenticated users to perform server-side template injection via Hidden fields.

Specifically, if a Hidden field is configured with a Default value set to Custom, attackers can submit crafted values that are evaluated as Twig code during form submission handling.

This means that malicious code can be executed on the server without any authentication, potentially compromising the entire Craft site depending on the template or sandbox behavior.

The vulnerability affects versions prior to 2.2.20 and 3.1.24 and has been fixed in those versions.

Impact Analysis

This vulnerability can have severe impacts on the confidentiality, integrity, and availability of your Craft CMS site.

Because it allows unauthenticated server-side template injection, an attacker could execute arbitrary code on the server, leading to full site compromise.

  • Unauthorized access to sensitive data.
  • Modification or deletion of site content or data.
  • Potential disruption or denial of service of the website.

Exploitation requires only public forms with at least one Hidden field using the Custom default value setting, and no login is needed.

Detection Guidance

This vulnerability can be detected by identifying if your Craft CMS site is using the Formie plugin versions prior to 2.2.20 or 3.1.24.

Specifically, check if there are any public forms with Hidden fields configured with the Default value set to Custom, as these fields are vulnerable to crafted Twig code injection.

Since the vulnerability involves unauthenticated submission of crafted values into Hidden fields, monitoring HTTP POST requests to public Formie forms for suspicious payloads containing Twig syntax could help detect exploitation attempts.

Commands to assist detection might include:

  • Using curl or similar tools to submit test payloads with Twig syntax to public forms and observing the response or behavior.
  • Searching server logs for POST requests containing Twig delimiters such as {{ or {%.
  • Checking the installed Formie plugin version via command line or CMS admin interface to confirm if it is below the fixed versions.
Mitigation Strategies

Immediate mitigation steps include upgrading the Formie plugin to version 2.2.20 or 3.1.24 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, temporary workarounds include removing Hidden fields from public forms or changing their Default value setting away from Custom to prevent evaluation of Twig code.

Additionally, restricting access to public forms or implementing input validation and filtering on form submissions can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart