CVE-2026-45697: Formie Craft CMS Plugin Remote Code Execution - What It Means for Your Business and How to Respond
A critical vulnerability in a widely used form-building plugin for Craft CMS creates an immediate and severe risk for organizations relying on public-facing websites. CVE-2026-45697 allows unauthenticated attackers to execute arbitrary code on affected servers simply by submitting malicious data through exposed forms. This issue affects businesses across industries that use Craft CMS for customer engagement, lead generation, or internal tools.
Your organization faces potential full system takeover, data theft, or service disruption if vulnerable. This post explains the business implications in clear terms, helps you determine exposure, and outlines practical response steps. While technical details appear in the appendix for your security team, the focus here remains on protecting operations, customers, and reputation.
Security researchers identified CVE-2026-45697 in the Formie plugin developed by Verbb for Craft CMS. The flaw stems from unsafe handling of hidden form fields configured with custom default values. These fields process user-submitted data through Twig templating without adequate safeguards, enabling server-side template injection.
The vulnerability received a CVSS score of 9.8, classifying it as critical. It requires no authentication, no user interaction beyond form submission, and offers low attack complexity. Public disclosure occurred on May 29, 2026, following responsible reporting by security researcher pwnsauc3. Verbb released patches in versions 2.2.20 and 3.1.24 shortly thereafter.
Timeline events include the initial advisory publication on GitHub and corresponding patches. Many organizations running public forms remained exposed during the window between discovery and widespread patching. This pattern underscores the speed at which modern web vulnerabilities can escalate from identification to active exploitation.
If your website uses the Formie plugin with public forms containing hidden fields, attackers can gain complete control of your web server without credentials. This means they could access sensitive customer data, alter content, install persistent malware, or use your infrastructure for further attacks. Operations face immediate downtime risks during incident response, while recovery diverts resources from core activities.
Data breaches trigger regulatory consequences under laws such as CCPA in California or PIPEDA in Canada. Fines, mandatory notifications, and legal costs accumulate quickly. Customer trust erodes when personal information or transaction details leak, leading to lost revenue and higher customer acquisition costs. Reputation damage extends beyond immediate victims to partners and stakeholders who question your security posture.
For e-commerce or service-based firms, compromised forms disrupt lead capture and transactions. Internal tools built on Craft CMS could expose backend systems, affecting supply chain partners or employee data. Compliance audits become more stringent following an incident, increasing ongoing security overhead. Even without immediate exploitation, the need for urgent patching and verification consumes IT budgets and management attention that could support growth initiatives.
Businesses in regulated sectors such as finance, healthcare, or government contracting face heightened scrutiny. A single overlooked vulnerable form can cascade into broader system compromise, amplifying financial and legal exposure far beyond the initial entry point.
Regional Bank Online Application Form: A community bank used Formie for mortgage pre-qualification forms on its public site. Attackers exploited the hidden field vulnerability to gain server access, exfiltrating applicant financial data for hundreds of customers. The breach triggered regulatory reporting, temporary site shutdown during forensics, and significant remediation costs while damaging customer confidence in the bank's digital services.
Mid-Sized Retailer Lead Generation: An online retailer relied on Craft CMS forms for newsletter sign-ups and product inquiries. Compromise via the plugin allowed attackers to inject malicious scripts, redirecting visitors to phishing sites and stealing session data. Sales dropped during the outage, and the incident required expensive third-party incident response, highlighting risks to revenue-generating customer touchpoints.
Non-Profit Membership Portal: A national nonprofit organization managed event registrations and donation forms through vulnerable Formie instances. Exploitation led to unauthorized access to donor databases, resulting in leaked contact information and potential identity theft concerns. Recovery efforts strained limited budgets and required public communications to rebuild trust among supporters.
Manufacturing Supplier Portal: A mid-market manufacturer used internal and partner-facing forms for quote requests. Attackers leveraged the flaw to pivot deeper into network resources, disrupting production scheduling tools and exposing proprietary bid data. Business continuity suffered, with contractual penalties and delayed deliveries affecting key client relationships.
If any of these statements describe your environment, take immediate action to assess and remediate.
Protect your digital assets by addressing this vulnerability and strengthening overall defenses. Contact IntegSec today for a comprehensive penetration test tailored to your Craft CMS environment and broader web infrastructure. Our experts deliver actionable insights that reduce risk and support secure business growth. Visit https://integsec.com to schedule your assessment and gain peace of mind.
The root cause lies in the Formie plugin's handling of Hidden fields where the default value type is set to Custom. User-supplied values submitted to these fields undergo Twig template evaluation during form submission processing without sufficient sanitization or sandbox restrictions. This constitutes a server-side template injection vulnerability leading to remote code execution.
Affected components center on form submission handlers in versions prior to 2.2.20 and 3.1.24. The attack vector is network-based via HTTP POST to public form endpoints. Attack complexity is low, with no required privileges or user interaction. The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD references and the primary GHSA provide further details. Relevant CWEs include CWE-94 (Code Injection), CWE-693 (Protection Mechanism Failure), and CWE-1336 (Template Engine Neutralization).
Version enumeration:
text
composer show verbb/formieor check the plugin settings in the Craft control panel.
Scanner signatures: Look for detections targeting Formie hidden field Twig evaluation patterns in tools such as Nuclei or custom scripts scanning for the vulnerable submission handler.
Log indicators: Monitor for anomalous POST requests to form endpoints containing Twig syntax such as or in hidden field values. Unusual PHP process spawning or file writes in web root may appear in application or system logs.
Behavioral anomalies: Unexpected server-side command execution, outbound connections from the web server, or modifications to Craft templates signal active exploitation. Network indicators include crafted form submissions with base64-encoded or obfuscated payloads targeting Twig functions.