Listen to this Post
How the Vulnerability Works
Formie is a popular Craft CMS plugin for building forms. The vulnerability arises from the way the plugin handles Hidden fields that are configured with a Custom default value. By design, this default value can be set as a Twig template, which is intended for dynamic content rendering. However, when a form is submitted, the plugin processes this value using Twig.
An unauthenticated attacker can exploit this by crafting a web request to a vulnerable public form. They can manipulate the HTTP POST request parameters, injecting malicious Twig code into the `value` of a Hidden field. The plugin then evaluates this input as a Twig template upon submission. This is made possible because the plugin constructs the code segment using externally-influenced input without properly neutralizing special syntax elements.
The impact is severe. By injecting payloads like `{{craft.app.config.general.securityKey}}` or more dangerous PHP function calls (if the sandbox is not strict), an attacker can potentially:
– Read sensitive application keys and database credentials.
– Access server environment variables.
– Execute arbitrary PHP code, leading to Remote Code Execution (RCE).
– Compromise the Craft CMS installation entirely.
This attack does not require any administrative login (CP login), allowing for a complete takeover from an unauthenticated state.
DailyCVE Form
Platform: Craft CMS
Version: <2.2.20/3.1.24
Vulnerability : Unauthenticated Twi…
Severity: Critical
date: 18/05/2026
Prediction: Patch already exists (18/05/2026)
What Undercode Say:
This is a classic example of Server-Side Template Injection (SSTI) facilitated by dangerous configuration defaults. The most critical aspect is the unauthorized nature of the attack surface. While sandboxing limits some advanced RCE, its effectiveness depends entirely on the host’s configuration. Administrators often incorrectly assume Hidden fields are safe because they are not visible to the average user, but they are fully mutable by attackers using tools like Burp Suite. The lack of input sanitization at the processing layer confirms a design flaw in how Twig is invoked for user-supplied data.
Analytics
The following Bash script can be used to scan for this vulnerability by checking the version of the `verbb/formie` composer package:
!/bin/bash echo "Checking Formie version for CVE-2026-45697..." cd /path/to/craft/project Check composer.lock for the installed version if grep -q '"name": "verbb/formie"' composer.lock; then VERSION=$(grep -A 5 '"name": "verbb/formie"' composer.lock | grep '"version":' | cut -d '"' -f 4) echo "Installed Formie Version: $VERSION" if [[ "$VERSION" < "2.2.20" ]] && [[ "$VERSION" != "3.1.24" ]]; then echo -e "\033[0;31mVulnerable: Unauthenticated Twig injection possible.\033[0m" else echo -e "\033[0;32mSafe: Vulnerable patch applied.\033[0m" fi else echo "Formie plugin not found." fi
How Exploit:
- Identify Target: Find a Craft CMS site using the Formie plugin with a public form containing a Hidden field.
- Craft Payload: Submit the form with a manipulated POST parameter for the hidden field. Replace the default value with a SSTI payload, e.g.,
{{craft.app.config.general.securityKey}}. - Execute: The server evaluates the Twig code during submission handling instead of escaping it.
- Output: The server response or subsequent page load contains the rendered output of the secret value.
Protection from this CVE
- Immediate Mitigation: Upgrade Formie to version 2.2.20 or 3.1.24 immediately.
- Temporary Workaround: In the administrative dashboard, edit affected forms and either delete the vulnerable Hidden fields or change their “Default Value” setting from “Custom” to a static value (e.g., “Text”).
- Web Application Firewall (WAF): Deploy a WAF rule to block HTTP requests containing typical Twig template syntax (
{{,}},{%,%}) in form parameters.
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on the server, leading to a full site takeover, data leakage (database credentials, API keys), and potential lateral movement within the hosting environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

