{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-52889/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Formie (\u003c 3.1.27)"],"_cs_severities":["critical"],"_cs_tags":["server-side-template-injection","web-vulnerability","craft-cms","formie","rce","cve-2026-52889","network"],"_cs_type":"advisory","_cs_vendors":["Verbb"],"content_html":"\u003cp\u003eA critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-52889, has been discovered in the \u003ccode\u003everbb/formie\u003c/code\u003e plugin for Craft CMS. This flaw affects versions \u003ccode\u003e3.0.0-beta.1\u003c/code\u003e up to \u003ccode\u003e3.1.26\u003c/code\u003e and allows an unauthenticated attacker to execute arbitrary code or disclose sensitive information. The vulnerability arises when a public-facing form contains a Hidden field configured with a dynamic, request-derived default value (e.g., HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value). Attackers can inject malicious Twig templating syntax into these request fields, which is then evaluated server-side during front-end form rendering. This could lead to a complete compromise of the affected Craft CMS instance, exposing data, modifying application state, or enabling remote code execution, making immediate patching crucial for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Craft CMS instance utilizing the vulnerable Formie plugin (versions \u0026gt;= 3.0.0-beta.1 and \u0026lt;= 3.1.26).\u003c/li\u003e\n\u003cli\u003eAttacker scans for public-facing forms on the target instance that contain a Hidden field configured to use a request-derived default value (e.g., HTTP User Agent, Referer URL, Query Parameter, or Cookie Value).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specially malformed HTTP request targeting the identified form.\u003c/li\u003e\n\u003cli\u003eThe malicious request embeds Twig template syntax within the value of the request-derived field (e.g., \u003ccode\u003eUser-Agent: {{_self.env.getconfig()}}\u003c/code\u003e or \u003ccode\u003e?param={{7*7}}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Formie plugin, specifically within the \u003ccode\u003eHidden::getFrontEndInputOptions()\u003c/code\u003e function, copies the attacker-controlled input directly into the \u003ccode\u003edefaultValue\u003c/code\u003e for the Hidden field.\u003c/li\u003e\n\u003cli\u003eDuring the subsequent front-end rendering process of the form, Craft CMS's Twig rendering engine evaluates the malicious \u003ccode\u003edefaultValue\u003c/code\u003e server-side, executing the injected Twig syntax.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation results in Server-Side Template Injection, potentially leading to remote code execution, disclosure of sensitive application or system information, or unauthorized modification of application state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-52889 allows an unauthenticated attacker to trigger server-side template evaluation simply by visiting a crafted URL. Depending on the injected payload and the site's Craft CMS configuration, this can lead to severe consequences including arbitrary remote code execution on the server hosting the Craft CMS instance. Other potential impacts include the disclosure of sensitive application data, database credentials, or system configurations, and unauthorized modification of the application's state, potentially defacing websites or disrupting services. The unauthenticated nature of the vulnerability means any public-facing vulnerable form is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003everbb/formie\u003c/code\u003e to version \u003ccode\u003e3.1.27\u003c/code\u003e or later to patch CVE-2026-52889.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround until patching, audit all public forms and remove or reconfigure any Hidden fields using request-derived default values, specifically: HTTP User Agent, HTTP Refer URL, Current URL, Current URL without Query String, Query Parameter, or Cookie Value, as noted in the summary.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detects CVE-2026-52889 Exploitation — Formie SSTI via Request-Derived Hidden Fields\u0026quot; to your SIEM/detection platform and tune it for your environment to identify attempted exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:01:15Z","date_published":"2026-07-06T17:01:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-formie-ssti/","summary":"Formie Hidden fields in versions prior to 3.1.27 are vulnerable to Server-Side Template Injection (SSTI), allowing an unauthenticated attacker to inject Twig syntax into request-derived default values, potentially leading to remote code execution, sensitive information disclosure, or application state modification.","title":"Formie Hidden Field SSTI Vulnerability (CVE-2026-52889)","url":"https://feed.craftedsignal.io/briefs/2026-07-formie-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-52889","version":"https://jsonfeed.org/version/1.1"}