CVE-2026-47266
Deferred Deferred - Pending Action
Unauthenticated Submission Modification in Formie Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-30
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-47266
EUVD
EUVD-2026-33422
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
formie formie to 2.2.21 (inc)
formie formie to 3.1.26 (inc)
verbb formie 2.2.21
verbb formie 3.1.26
verbb formie to 2.2.21 (exc)
verbb formie to 3.1.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-47266 is a vulnerability in the Formie plugin for Craft CMS that allows unauthenticated users to modify existing form submissions. This happens because the plugin accepted submission editing requests without proper authentication, allowing attackers to post a known or guessed submission ID to the endpoint formie/submissions/save-submission and overwrite submissions.

The vulnerability affects versions prior to 2.2.21 and 3.1.26 and was fixed by adding a submissionEditToken to secure submission editing requests.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized users to alter form submissions without authentication. This could lead to data integrity issues, where submitted information is changed or corrupted.

Such unauthorized modifications could affect business processes relying on accurate form data, potentially causing operational disruptions or misleading data collection.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint formie/submissions/save-submission, especially those that include submission IDs that are known or guessed.

You can use network monitoring or web server logs to identify such suspicious requests.

  • Use command-line tools like curl or wget to test if the endpoint accepts unauthenticated submission edits.
  • Example curl command to test the vulnerability (replace URL and submission ID accordingly):

curl -X POST https://yourdomain.com/formie/submissions/save-submission -d 'submissionId=KNOWN_OR_GUESSED_ID&other_form_data=...' -v

  • Check web server access logs for POST requests to formie/submissions/save-submission without authentication.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating the Formie plugin to version 2.2.21 or 3.1.26 or later, where the vulnerability is fixed by adding a submissionEditToken to secure submission editing requests.

If updating immediately is not possible, temporarily block unauthenticated access to the endpoint formie/submissions/save-submission or disable front-end submission editing to prevent unauthorized modifications.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart