{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/formie/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Formie"],"_cs_severities":["critical"],"_cs_tags":["server-side template injection","code-execution","craftcms","formie"],"_cs_type":"advisory","_cs_vendors":["Verbb"],"content_html":"\u003cp\u003eA server-side template injection vulnerability (CVE-2026-45697) has been identified within the Formie plugin for Craft CMS. The vulnerability resides in the processing of Hidden fields with a \u0026ldquo;Custom\u0026rdquo; default value. Unauthenticated users can exploit this by submitting crafted values within these Hidden fields. These values are then processed as Twig templates during form submission handling. Successful exploitation allows for arbitrary code execution within the context of the Craft CMS application, potentially leading to complete site compromise. The vulnerability affects sites using public Formie forms with at least one Hidden field configured with a custom default value. Patched versions are 2.2.20 and 3.1.24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a public-facing Formie form on a Craft CMS website.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the HTML source of the form to identify any Hidden fields that have a \u0026ldquo;Custom\u0026rdquo; default value.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload using Twig syntax. This payload can contain arbitrary code intended for execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious Twig payload into the value of the identified Hidden field.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the form to the Craft CMS website.\u003c/li\u003e\n\u003cli\u003eThe Formie plugin processes the form submission, including the Hidden field containing the injected Twig payload.\u003c/li\u003e\n\u003cli\u003eThe Formie plugin evaluates the \u0026ldquo;Custom\u0026rdquo; default value of the Hidden field as a Twig template.\u003c/li\u003e\n\u003cli\u003eThe malicious Twig payload is executed on the server, leading to arbitrary code execution and potential site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the affected Craft CMS website. This can lead to complete compromise of the site, including data theft, defacement, or denial of service. The vulnerability affects sites with public Formie forms that include at least one Hidden field configured with a custom default value. The number of affected sites is currently unknown, but any site using the Formie plugin versions prior to the patched releases (2.2.20 and 3.1.24) are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Formie to versions 2.2.20 or 3.1.24 to patch CVE-2026-45697.\u003c/li\u003e\n\u003cli\u003eAs an interim measure, remove Hidden fields from public forms or switch the Hidden default away from Custom where feasible as a workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Formie SSTI Attempts via POST Requests\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting Formie form submission endpoints, specifically looking for Twig syntax within form parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:24:22Z","date_published":"2026-05-18T17:24:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-formie-ssti/","summary":"A pre-authenticated server-side template injection vulnerability (CVE-2026-45697) exists in the Hidden fields of the Formie Craft plugin, allowing unauthenticated users to submit crafted values that are evaluated as Twig during submission handling, potentially leading to site compromise.","title":"Formie Plugin Server-Side Template Injection via Hidden Fields (CVE-2026-45697)","url":"https://feed.craftedsignal.io/briefs/2026-05-formie-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed — Formie","version":"https://jsonfeed.org/version/1.1"}