How is CVE-2026-47266 exploited?

Network reachability (required): The attacker must be able to reach the Craft CMS site hosting Formie over the network (AV:N), typically any internet-exposed form endpoint. Authentication (not-required): No credentials or session are needed (PR:N); any anonymous visitor can POST to the save-submission action. Victim interaction (not-required): Exploitation is server-side and does not require any user to click, view, or approve anything (UI:N). Attack complexity (info): Attack complexity is low (AC:L); the only prerequisite is knowing or guessing a valid submission ID, and submission IDs are typically sequential integers.

What is the impact of CVE-2026-47266?

Overwrites the contents of existing Formie submissions, corrupting stored form data such as contact requests, applications, or survey responses. Enables targeted tampering when an attacker can guess or enumerate submission IDs, for example replacing a legitimate submitter's email or message body with attacker-controlled values. Does not expose submission contents to the attacker and does not crash the service; impact is limited to integrity of stored submissions (VC:N, VA:N, VI:H).

Back to search

HIGHCVE-2026-47266Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-47266: Formie: Unauthenticated front-end submission editing can overwrite existing submissions

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An access-control flaw in the Formie plugin for Craft CMS lets unauthenticated callers overwrite existing form submissions by POSTing a known or guessed submission ID to the formie/submissions/save-submission endpoint. The endpoint is reachable over the network with no authentication or victim interaction, and successful exploitation tampers with stored submission records (integrity impact only, no disclosure or denial of service). Patched releases 2.2.21 and 3.1.26 are published upstream, and patched-image rebuilds at the fix versions are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against Formie versions found in customer registries, CI pipelines, and custom-built Craft CMS images.

Available

Triage

Triage capability scores this CVE at CVSS 8.7 (High, v4.0) and weights that score against each customer organization's compliance policy, so environments that treat unauthenticated tampering as a release blocker get the finding escalated and routed to the configured security or platform inbox.

Available

Patch

A patched-image rebuild at Formie 2.2.21 (for the 2.x line) or 3.1.26 (for the 3.x line) is available on HarborGuard for environments running an affected version. Customers with auto-remediation enabled get the rebuilt image, a regression-test run, and a pull request opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Craft CMS site hosting Formie over the network (AV:N), typically any internet-exposed form endpoint.
AuthenticationNot required
No credentials or session are needed (PR:N); any anonymous visitor can POST to the save-submission action.
Victim interactionNot required
Exploitation is server-side and does not require any user to click, view, or approve anything (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L); the only prerequisite is knowing or guessing a valid submission ID, and submission IDs are typically sequential integers.

Blast Radius

Overwrites the contents of existing Formie submissions, corrupting stored form data such as contact requests, applications, or survey responses.
Enables targeted tampering when an attacker can guess or enumerate submission IDs, for example replacing a legitimate submitter's email or message body with attacker-controlled values.
Does not expose submission contents to the attacker and does not crash the service; impact is limited to integrity of stored submissions (VC:N, VA:N, VI:H).

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at Formie 2.2.21 or 3.1.26 for environments running an affected version, with the version selected to match the existing 2.x or 3.x branch. For customers who opt into auto-remediation, the rebuild is paired with a regression-test run and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires a staged rollout, the finding is routed to the configured inbox with the fix version pinned so operators can promote the rebuild manually, and in the interim restricting public access to the formie/submissions/save-submission action at the ingress or WAF layer is a reasonable compensating control.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

verbb / formie
< 2.2.21 · >= 3.0.0-beta.1, < 3.1.26

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References