Craft CMS (Formie Plugin), Twig Injection via Hidden Field, CVE-2026-45697 (Critical)

Listen to this Post

How the Vulnerability Works

Formie is a popular Craft CMS plugin for building forms. The vulnerability arises from the way the plugin handles Hidden fields that are configured with a Custom default value. By design, this default value can be set as a Twig template, which is intended for dynamic content rendering. However, when a form is submitted, the plugin processes this value using Twig.
An unauthenticated attacker can exploit this by crafting a web request to a vulnerable public form. They can manipulate the HTTP POST request parameters, injecting malicious Twig code into the `value` of a Hidden field. The plugin then evaluates this input as a Twig template upon submission. This is made possible because the plugin constructs the code segment using externally-influenced input without properly neutralizing special syntax elements.
The impact is severe. By injecting payloads like `{{craft.app.config.general.securityKey}}` or more dangerous PHP function calls (if the sandbox is not strict), an attacker can potentially:
– Read sensitive application keys and database credentials.
– Access server environment variables.
– Execute arbitrary PHP code, leading to Remote Code Execution (RCE).
– Compromise the Craft CMS installation entirely.
This attack does not require any administrative login (CP login), allowing for a complete takeover from an unauthenticated state.

DailyCVE Form

Platform: Craft CMS
Version: <2.2.20/3.1.24
Vulnerability : Unauthenticated Twi…
Severity: Critical
date: 18/05/2026

Prediction: Patch already exists (18/05/2026)

What Undercode Say:

This is a classic example of Server-Side Template Injection (SSTI) facilitated by dangerous configuration defaults. The most critical aspect is the unauthorized nature of the attack surface. While sandboxing limits some advanced RCE, its effectiveness depends entirely on the host’s configuration. Administrators often incorrectly assume Hidden fields are safe because they are not visible to the average user, but they are fully mutable by attackers using tools like Burp Suite. The lack of input sanitization at the processing layer confirms a design flaw in how Twig is invoked for user-supplied data.

Analytics

The following Bash script can be used to scan for this vulnerability by checking the version of the `verbb/formie` composer package:

!/bin/bash
echo "Checking Formie version for CVE-2026-45697..."
cd /path/to/craft/project
Check composer.lock for the installed version
if grep -q '"name": "verbb/formie"' composer.lock; then
VERSION=$(grep -A 5 '"name": "verbb/formie"' composer.lock | grep '"version":' | cut -d '"' -f 4)
echo "Installed Formie Version: $VERSION"
if [[ "$VERSION" < "2.2.20" ]] && [[ "$VERSION" != "3.1.24" ]]; then
echo -e "\033[0;31mVulnerable: Unauthenticated Twig injection possible.\033[0m"
else
echo -e "\033[0;32mSafe: Vulnerable patch applied.\033[0m"
fi
else
echo "Formie plugin not found."
fi

How Exploit:

  1. Identify Target: Find a Craft CMS site using the Formie plugin with a public form containing a Hidden field.
  2. Craft Payload: Submit the form with a manipulated POST parameter for the hidden field. Replace the default value with a SSTI payload, e.g., {{craft.app.config.general.securityKey}}.
  3. Execute: The server evaluates the Twig code during submission handling instead of escaping it.
  4. Output: The server response or subsequent page load contains the rendered output of the secret value.

Protection from this CVE

  • Immediate Mitigation: Upgrade Formie to version 2.2.20 or 3.1.24 immediately.
  • Temporary Workaround: In the administrative dashboard, edit affected forms and either delete the vulnerable Hidden fields or change their “Default Value” setting from “Custom” to a static value (e.g., “Text”).
  • Web Application Firewall (WAF): Deploy a WAF rule to block HTTP requests containing typical Twig template syntax ({{, }}, {%, %}) in form parameters.

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on the server, leading to a full site takeover, data leakage (database credentials, API keys), and potential lateral movement within the hosting environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top