{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45697", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-13T04:38:01.165Z", "datePublished": "2026-05-29T19:01:49.220Z", "dateUpdated": "2026-06-01T15:18:51.317Z"}, "containers": {"cna": {"title": "Formie: Pre-authenticated server-side template injection in Hidden fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2"}, {"name": "https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3", "tags": ["x_refsource_MISC"], "url": "https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3"}, {"name": "https://github.com/verbb/formie/releases/tag/2.2.20", "tags": ["x_refsource_MISC"], "url": "https://github.com/verbb/formie/releases/tag/2.2.20"}, {"name": "https://github.com/verbb/formie/releases/tag/3.1.24", "tags": ["x_refsource_MISC"], "url": "https://github.com/verbb/formie/releases/tag/3.1.24"}], "affected": [{"vendor": "verbb", "product": "formie", "versions": [{"version": "< 2.2.20", "status": "affected"}, {"version": ">= 3.0.0-beta.1, < 3.1.24", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-29T19:01:49.220Z"}, "descriptions": [{"lang": "en", "value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value \u2192 Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24."}], "source": {"advisory": "GHSA-x7m9-mwc2-g6w2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-01T15:18:36.758634Z", "id": "CVE-2026-45697", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T15:18:51.317Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value \u2192 Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24."}], "id": "CVE-2026-45697", "lastModified": "2026-05-29T20:21:38.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-05-29T20:16:27.393", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/verbb/formie/commit/f690d5623163ce2a95da305238d6367575486ee3"}, {"source": "security-advisories@github.com", "url": "https://github.com/verbb/formie/releases/tag/2.2.20"}, {"source": "security-advisories@github.com", "url": "https://github.com/verbb/formie/releases/tag/3.1.24"}, {"source": "security-advisories@github.com", "url": "https://github.com/verbb/formie/security/advisories/GHSA-x7m9-mwc2-g6w2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0-beta.1,3.1.24)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "formie", "source": "cna", "vendor": "verbb"}, "product": "formie", "vendor": "verbb"}], "created": "2026-05-29T20:30:07.040815+00:00", "updated": "2026-05-29T21:00:09.740424+00:00", "vendors": ["verbb", "verbb$PRODUCT$formie"]}