What is GHSA-pgxq-p76c-x9cg?

GHSA-pgxq-p76c-x9cg is a security advisory published by GitHub Security Advisories with High severity. formie's unauthenticated front-end submission editing can overwrite existing submissions

Which CVE IDs does GHSA-pgxq-p76c-x9cg cover?

GHSA-pgxq-p76c-x9cg covers the following CVE IDs: CVE-2026-47266. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-pgxq-p76c-x9cg?

GHSA-pgxq-p76c-x9cg affects 2 products, including: composer/verbb/formie:\u003e= 3.0.0, \u003c 3.1.26; composer/verbb/formie:\u003c 2.2.21.

GHSA-pgxq-p76c-x9cgHigh

formie's unauthenticated front-end submission editing can overwrite existing submissions

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-47266 →

📋 Description

Impact

Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission.

Patches

2.2.21, 3.1.26

Workarounds

Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submission editing until patched.

Credit

formie extends many thanks to:

Florian (Cyber Security Engineer, arcade solutions ag)
Contact: security@arcade.ch

🎯 Affected products2

composer/verbb/formie:>= 3.0.0, < 3.1.26
composer/verbb/formie:< 2.2.21

🔗 References (5)

https://github.com/verbb/formie/security/advisories/GHSA-pgxq-p76c-x9cg
https://nvd.nist.gov/vuln/detail/CVE-2026-47266
https://github.com/verbb/formie/releases/tag/2.2.21
https://github.com/verbb/formie/releases/tag/3.1.26
https://github.com/advisories/GHSA-pgxq-p76c-x9cg