Critical Formie Plugin Flaw Lets Attackers Hijack Craft CMS Sites
CVE-2026-45697 (CVSS 9.8) in the Formie Craft CMS plugin allows unauthenticated attackers to execute arbitrary code via Twig template injection in Hidden fields. Patch to 2.2.20 or 3.1.24 immediately.
A critical vulnerability in the Formie plugin for Craft CMS allows unauthenticated attackers to execute arbitrary code by submitting crafted values through Hidden form fields. The flaw, tracked as CVE-2026-45697, carries a CVSS score of 9.8 and was published on May 29, 2026.
Organizations running Formie versions prior to 2.2.20 (2.x branch) or 3.1.24 (3.x branch) should patch immediately.
Vulnerability Details
The vulnerability exists in Formie's handling of Hidden fields. When a Hidden field is configured with a "Default value" set to "Custom," the plugin fails to properly sanitize or escape user-submitted values before processing them.
Instead of treating input as data, Formie evaluates crafted input as Twig template code during server-side form submission handling. Twig is the PHP templating engine that powers Craft CMS, and it has full access to the PHP execution environment.
This server-side template injection (SSTI) allows attackers to:
- Execute arbitrary PHP code on the server
- Read sensitive files including configuration and database credentials
- Write files to the webserver filesystem
- Establish persistent backdoors
- Pivot to connected systems
Exploitation Requirements
The attack requires no authentication. An attacker simply needs network access to a Craft CMS site running a vulnerable Formie version with at least one form containing a Hidden field configured with a Custom default value.
Given Formie's popularity as a form builder for Craft CMS, many sites likely meet these conditions. The plugin has been downloaded over 100,000 times from the Craft Plugin Store.
Proof of Concept
While we won't publish exploit code, the attack vector is straightforward: submit a form with a Twig expression in the Hidden field value. Expressions like the following would execute server-side:
[injection point example redacted]
The payload passes through Formie's submission handler, gets evaluated by Twig, and executes with the web application's privileges.
Historical Context
This isn't the first critical vulnerability in Craft CMS or its plugin ecosystem. We've previously covered Craft CMS RCE vulnerabilities affecting PHP-based content management systems, and the pattern repeats: template engines with powerful execution capabilities create attractive attack surfaces.
The broader lesson applies across platforms—any feature that evaluates user input as code requires rigorous input validation, and Hidden fields are not exempt simply because they're not visible to users.
Affected Versions
| Branch | Vulnerable | Patched |
|---|---|---|
| 2.x | < 2.2.20 | 2.2.20+ |
| 3.x | < 3.1.24 | 3.1.24+ |
Remediation Steps
- Update Formie immediately to version 2.2.20 or 3.1.24 depending on your branch
- Review form configurations for Hidden fields with Custom default values
- Audit access logs for suspicious form submissions, particularly those with unusual characters in field values
- Check for compromise indicators including new files, modified configurations, or unexpected database entries
- Rotate credentials if you suspect prior exploitation, including database passwords and API keys
Organizations unable to patch immediately should consider disabling forms with Hidden Custom fields as a temporary mitigation, though this may impact site functionality.
Detection Guidance
Security teams can hunt for exploitation attempts by searching web server logs for:
- Form submissions containing Twig delimiters in POST data
- Unusual characters in form field values that wouldn't appear in normal user input
- POST requests to form endpoints from automated sources or unusual geographic locations
Web application firewalls (WAFs) with template injection rules may block some exploitation attempts, but determined attackers can often bypass generic protections.
Why CMS Plugins Remain High-Risk
Content management systems like Craft CMS often inherit their plugin ecosystem's security posture. A perfectly secure core CMS becomes vulnerable the moment a user installs a flawed plugin.
This creates a challenging dynamic:
- Plugin developers may lack security expertise or resources for thorough code review
- Plugin updates require manual action from site administrators
- Vulnerability disclosure doesn't guarantee users will patch promptly
For organizations running CMS platforms, maintaining an inventory of installed plugins and monitoring security advisories is essential. Consider subscribing to vulnerability feeds and implementing automated update policies where possible.
References
The vulnerability was responsibly disclosed to Verbb, the Formie maintainers, who released patches on the same day as disclosure.
Related Articles
SEPPMail Gateway Flaws Enable Complete Mail System Takeover
Seven vulnerabilities including CVE-2026-2743 (CVSS 10.0) allow unauthenticated attackers to compromise SEPPMail secure email gateways, read all traffic, and establish persistent access. Patch to 15.0.4 immediately.
May 20, 2026Thymeleaf SSTI Flaw Enables Java RCE via Template Injection
CVE-2026-40478 bypasses Thymeleaf's expression protections, allowing attackers to execute arbitrary Java code through crafted template input. Upgrade to 3.1.4.RELEASE now.
Apr 18, 2026Juniper PTX Routers Vulnerable to Unauthenticated Root RCE
Critical CVE-2026-21902 in Junos OS Evolved allows remote attackers to gain root access on PTX routers via exposed anomaly detection service. Patch now.
Mar 1, 2026Fortinet Patches Critical SQLi-to-RCE Flaw in FortiClientEMS
CVE-2026-21643 allows unauthenticated attackers to chain SQL injection with command execution in FortiClient EMS. CVSS 9.8 affects version 7.4.4—upgrade to 7.4.5 immediately.
Feb 12, 2026