CVE-2026-45697 - Formie: Pre-authenticated server-side template injection in Hidden fields

CVE ID :CVE-2026-45697 Published : May 29, 2026, 8:16 p.m. | 2 hours, 8 minutes ago Description :Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...