How is CVE-2026-45697 exploited?

Network reachability (required): The attacker must reach the form submission endpoint over the network, which is typically exposed on any public Craft CMS site running Formie. Authentication (not-required): No account or credentials are needed; any anonymous visitor who can POST a form submission can trigger the injection. Victim interaction (not-required): Exploitation is driven entirely by the attacker's submission and requires no action from a site user or administrator. Attack complexity (info): AC:L indicates the exploit is reliable and free of race conditions or environmental prerequisites, though final impact depends on the site's Twig sandbox configuration.

What is the impact of CVE-2026-45697?

Executes attacker-controlled Twig in the context of the Craft CMS application, which on many configurations leads to arbitrary code execution on the web server. Reads site secrets, database credentials, and stored content accessible to the Craft process. Modifies or deletes Craft content, form submissions, and other persisted records. Can disrupt or take the Craft site offline by tampering with application state or crashing the PHP worker.

Back to search

CRITICALCVE-2026-45697Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45697: Formie: Pre-authenticated server-side template injection in Hidden fields

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Server-side template injection in Formie, a Craft CMS plugin for building forms. The bug is reachable over the network without authentication: an unauthenticated attacker can submit crafted values into Hidden fields whose Default value is set to Custom, and those values are evaluated as Twig during submission handling. Successful exploitation can lead to remote code execution, disclosure of site data, and tampering with the Craft installation, with patched-image rebuilds at Formie 2.2.20 and 3.1.24 available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Formie plugin versions found in customer registries and build pipelines, including custom-built Craft CMS images.

Available

Triage

Triage is available with the published CVSS 9.8 Critical score weighted against each customer's compliance policy, and the finding is routed to the security inbox configured for the affected repository or environment inside each customer org.

Available

Patch

Patched-image rebuilds at Formie 2.2.20 (for the 2.x line) and 3.1.24 (for the 3.x line) are available on HarborGuard for environments running an affected version. Customers with auto-remediation enabled get the rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the form submission endpoint over the network, which is typically exposed on any public Craft CMS site running Formie.
AuthenticationNot required
No account or credentials are needed; any anonymous visitor who can POST a form submission can trigger the injection.
Victim interactionNot required
Exploitation is driven entirely by the attacker's submission and requires no action from a site user or administrator.
Attack complexityDetail
AC:L indicates the exploit is reliable and free of race conditions or environmental prerequisites, though final impact depends on the site's Twig sandbox configuration.

Blast Radius

Executes attacker-controlled Twig in the context of the Craft CMS application, which on many configurations leads to arbitrary code execution on the web server.
Reads site secrets, database credentials, and stored content accessible to the Craft process.
Modifies or deletes Craft content, form submissions, and other persisted records.
Can disrupt or take the Craft site offline by tampering with application state or crashing the PHP worker.

How HarborGuard Handles This

Available on HarborGuard: patched-image rebuilds pinned to Formie 2.2.20 or 3.1.24 (matching the affected branch) for any environment running a vulnerable version. For customers who opt into auto-remediation, the rebuild is produced automatically, regression tests are run against the image, and a PR is opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy gates automatic merges, the finding lands in the configured security inbox with the rebuilt image attached for manual approval, and as a compensating control until the upgrade lands, operators should disable Hidden fields whose Default value is set to Custom or restrict access to form submission endpoints at the edge.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

verbb / formie
< 2.2.20 · >= 3.0.0-beta.1, < 3.1.24

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References