<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Formie (&lt; 3.1.27) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/formie--3.1.27/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 17:01:15 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/formie--3.1.27/feed.xml" rel="self" type="application/rss+xml"/><item><title>Formie Hidden Field SSTI Vulnerability (CVE-2026-52889)</title><link>https://feed.craftedsignal.io/briefs/2026-07-formie-ssti/</link><pubDate>Mon, 06 Jul 2026 17:01:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-formie-ssti/</guid><description>Formie Hidden fields in versions prior to 3.1.27 are vulnerable to Server-Side Template Injection (SSTI), allowing an unauthenticated attacker to inject Twig syntax into request-derived default values, potentially leading to remote code execution, sensitive information disclosure, or application state modification.</description><content:encoded><![CDATA[<p>A critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-52889, has been discovered in the <code>verbb/formie</code> plugin for Craft CMS. This flaw affects versions <code>3.0.0-beta.1</code> up to <code>3.1.26</code> and allows an unauthenticated attacker to execute arbitrary code or disclose sensitive information. The vulnerability arises when a public-facing form contains a Hidden field configured with a dynamic, request-derived default value (e.g., HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value). Attackers can inject malicious Twig templating syntax into these request fields, which is then evaluated server-side during front-end form rendering. This could lead to a complete compromise of the affected Craft CMS instance, exposing data, modifying application state, or enabling remote code execution, making immediate patching crucial for defenders.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a Craft CMS instance utilizing the vulnerable Formie plugin (versions &gt;= 3.0.0-beta.1 and &lt;= 3.1.26).</li>
<li>Attacker scans for public-facing forms on the target instance that contain a Hidden field configured to use a request-derived default value (e.g., HTTP User Agent, Referer URL, Query Parameter, or Cookie Value).</li>
<li>Attacker crafts a specially malformed HTTP request targeting the identified form.</li>
<li>The malicious request embeds Twig template syntax within the value of the request-derived field (e.g., <code>User-Agent: {{_self.env.getconfig()}}</code> or <code>?param={{7*7}}</code>).</li>
<li>The Formie plugin, specifically within the <code>Hidden::getFrontEndInputOptions()</code> function, copies the attacker-controlled input directly into the <code>defaultValue</code> for the Hidden field.</li>
<li>During the subsequent front-end rendering process of the form, Craft CMS's Twig rendering engine evaluates the malicious <code>defaultValue</code> server-side, executing the injected Twig syntax.</li>
<li>Successful exploitation results in Server-Side Template Injection, potentially leading to remote code execution, disclosure of sensitive application or system information, or unauthorized modification of application state.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52889 allows an unauthenticated attacker to trigger server-side template evaluation simply by visiting a crafted URL. Depending on the injected payload and the site's Craft CMS configuration, this can lead to severe consequences including arbitrary remote code execution on the server hosting the Craft CMS instance. Other potential impacts include the disclosure of sensitive application data, database credentials, or system configurations, and unauthorized modification of the application's state, potentially defacing websites or disrupting services. The unauthenticated nature of the vulnerability means any public-facing vulnerable form is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>verbb/formie</code> to version <code>3.1.27</code> or later to patch CVE-2026-52889.</li>
<li>As a temporary workaround until patching, audit all public forms and remove or reconfigure any Hidden fields using request-derived default values, specifically: HTTP User Agent, HTTP Refer URL, Current URL, Current URL without Query String, Query Parameter, or Cookie Value, as noted in the summary.</li>
<li>Deploy the provided Sigma rule &quot;Detects CVE-2026-52889 Exploitation — Formie SSTI via Request-Derived Hidden Fields&quot; to your SIEM/detection platform and tune it for your environment to identify attempted exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>server-side-template-injection</category><category>web-vulnerability</category><category>craft-cms</category><category>formie</category><category>rce</category><category>cve-2026-52889</category><category>network</category></item></channel></rss>