Vendor
A pre-authenticated server-side template injection vulnerability (CVE-2026-45697) exists in the Hidden fields of the Formie Craft plugin, allowing unauthenticated users to submit crafted values that are evaluated as Twig during submission handling, potentially leading to site compromise.