CVE-2026-45697 Overview
CVE-2026-45697 is a server-side template injection vulnerability in Formie, a Craft CMS plugin for building forms. Versions prior to 2.2.20 and 3.1.24 evaluate unauthenticated user input as Twig template code during form submission handling. Attackers can submit crafted values into Hidden fields configured with a Default value of Custom, which the plugin then renders through the Twig engine. Successful exploitation can lead to remote code execution and full compromise of the Craft CMS site, depending on the template sandbox configuration. The issue is classified as Code Injection [CWE-94] and is fixed in Formie 2.2.20 and 3.1.24.
Critical Impact
Unauthenticated attackers can inject Twig expressions through form submissions, potentially executing arbitrary code on the Craft CMS host.
Affected Products
- Formie plugin for Craft CMS versions prior to 2.2.20
- Formie plugin for Craft CMS 3.x versions prior to 3.1.24
- Craft CMS sites using Formie forms with Hidden fields and Custom default values
Discovery Timeline
- 2026-05-29 - CVE-2026-45697 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-45697
Vulnerability Analysis
Formie processes form submissions and substitutes Default values for Hidden fields before persisting the submission. When a Hidden field is configured with a Default value type of Custom, the plugin passes the submitted value through Twig template rendering instead of treating it as a literal string. Because the rendering happens during normal form submission handling, no authentication is required to reach the vulnerable code path.
An attacker who identifies a Formie form containing a Hidden field with this configuration can override the field value in the POST request. The submitted payload is then parsed and executed as Twig markup on the server. The effective impact depends on how Craft CMS's Twig sandbox is configured for the site, but server-side template injection in Twig commonly enables arbitrary PHP function invocation and shell command execution.
Root Cause
The root cause is unsafe evaluation of attacker-controlled input as Twig template source. Submission values originating from the HTTP request body should be treated as untrusted data, but Formie's Hidden field handler renders them through the template engine when the Default value type is set to Custom. The plugin lacks input validation and does not enforce a strict template sandbox boundary for untrusted submission data.
Attack Vector
Exploitation is performed over the network with no authentication and no user interaction. An attacker enumerates publicly accessible Formie forms, inspects the rendered HTML for Hidden field names, and submits a crafted POST request containing a Twig expression in place of the expected hidden value. The malicious payload is then evaluated server-side, returning template output or triggering side effects such as command execution. Refer to the GitHub Security Advisory GHSA-x7m9-mwc2-g6w2 and the GitHub Formie Commit for technical details on the vulnerable code path and fix.
Detection Methods for CVE-2026-45697
Indicators of Compromise
- Form submission POST requests containing Twig delimiters such as {{, }}, {%, or %} in Hidden field values
- Unexpected outbound network connections or new shell processes spawned by the PHP-FPM or web server worker process
- Web access logs showing repeated submissions to Formie endpoints under /index.php?p=actions/formie/submissions/submit
- Newly created PHP files, scheduled tasks, or modifications to the Craft CMS storage/ or templates/ directories following form submission activity
Detection Strategies
- Inspect Formie form configurations in the Craft control panel and flag any Hidden fields with Default value type set to Custom
- Deploy web application firewall rules that block Twig syntax tokens within Formie submission parameters
- Audit application and PHP error logs for Twig parsing exceptions originating from Formie submission handlers
- Correlate web request telemetry with endpoint process execution to identify shell or interpreter children of the web server
Monitoring Recommendations
- Enable verbose logging on Craft CMS and forward access logs to a centralized analytics platform for anomaly review
- Monitor for unexpected child processes of php-fpm, httpd, or nginx such as sh, bash, curl, or wget
- Alert on file integrity changes within Craft CMS web roots and Formie plugin directories
- Track outbound DNS and HTTP traffic from web server hosts to detect post-exploitation callbacks
How to Mitigate CVE-2026-45697
Immediate Actions Required
- Upgrade Formie to version 2.2.20 (2.x branch) or 3.1.24 (3.x branch) without delay
- Review every form for Hidden fields configured with Default value type Custom and replace with static values where possible
- Rotate Craft CMS security keys and any credentials accessible from the web application environment if exploitation is suspected
- Inspect submission logs and server processes for indicators of post-exploitation activity
Patch Information
The maintainers released fixes in Formie 2.2.20 and Formie 3.1.24. The corrective change is documented in the Formie commit f690d56, which removes Twig evaluation of untrusted Hidden field submission values.
Workarounds
- Temporarily remove or disable forms containing Hidden fields configured with Custom Twig default values until upgrades are applied
- Apply a web application firewall rule that rejects requests where Formie submission parameters contain Twig syntax tokens
- Restrict the Craft CMS Twig sandbox configuration to deny dangerous tags and functions for any user-rendered context
# Upgrade Formie via Composer to a patched release
composer require verbb/formie:^3.1.24
# Or for the 2.x branch
composer require verbb/formie:^2.2.20
# Clear Craft CMS caches after upgrading
php craft clear-caches/all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
