Tag
Formie Hidden fields in versions prior to 3.1.27 are vulnerable to Server-Side Template Injection (SSTI), allowing an unauthenticated attacker to inject Twig syntax into request-derived default values, potentially leading to remote code execution, sensitive information disclosure, or application state modification.