What is GHSA-x7m9-mwc2-g6w2?

GHSA-x7m9-mwc2-g6w2 is a security advisory published by GitHub Security Advisories with Critical severity. Formie: Pre-authenticated server-side template injection in Hidden fields

Which CVE IDs does GHSA-x7m9-mwc2-g6w2 cover?

GHSA-x7m9-mwc2-g6w2 covers the following CVE IDs: CVE-2026-45697. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-x7m9-mwc2-g6w2?

GHSA-x7m9-mwc2-g6w2 has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

Which products are affected by GHSA-x7m9-mwc2-g6w2?

GHSA-x7m9-mwc2-g6w2 affects 2 products, including: composer/verbb/formie:\u003e= 3.0.0-beta.1, \u003c 3.1.24; composer/verbb/formie:\u003c 2.2.20.

GHSA-x7m9-mwc2-g6w2CriticalCVSS 9.8

Formie: Pre-authenticated server-side template injection in Hidden fields

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45697 →

📋 Description

### Impact - Unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). - Sites with public Formie forms that include at least one Hidden field with that configuration. - No CP login for the reported chain. ### Patches - [2.2.20](https://github.com/verbb/formie/releases/tag/2.2.20), [3.1.24](https://github.com/verbb/formie/releases/tag/3.1.24) ### Workarounds - Temporarily remove Hidden fields from public forms or switch Hidden default away from Custom where feasible - Otherwise, upgrade to patched versions

🎯 Affected products2

composer/verbb/formie:>= 3.0.0-beta.1, < 3.1.24
composer/verbb/formie:< 2.2.20

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products2

🔗 References (5)