Description
Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.
Published: 2026-02-12
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Craft CMS Freeform Control Panel
Action: Apply Patch
AI Analysis

Impact

Authenticated users with only form creation or editing rights can embed custom HTML or JavaScript inside form labels and integration metadata, which are rendered through a framework function that allows raw HTML injection without sanitization. When any administrator views the form builder or integration screens, the injected code executes in the context of the administrator’s browser, providing a stored XSS vector that can perform actions such as credential theft or session hijacking. This vulnerability is classified as a stored cross‑site scripting weakness.

Affected Systems

All versions of the Solspace Freeform plugin for Craft CMS 5.x released before version 5.14.7 are affected, regardless of the specific minor revision. Users should verify that they are running the approved version and apply updates accordingly.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating a moderate severity, and an EPSS score below 1 %, which reflects a very low probability of exploitation at present. The exploit requires authenticated access with permission to create or edit forms; therefore, the attack is limited to users who already possess some level of control over the form system, and the impact is confined to the Pantheon Control Panel interface where the malicious content is rendered.

Generated by OpenCVE AI on April 17, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Solspace Freeform to version 5.14.7 or later
  • Restrict form creation and editing permissions to trusted users or remove those rights for low‑privilege roles
  • Implement a Content Security Policy that blocks execution of inline scripts to reduce the impact of any residual XSS inputs

Generated by OpenCVE AI on April 17, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jp3q-wwp3-pwv9 Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue
History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:solspace:freeform:*:*:*:*:*:craft_cms:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Solspace
Solspace freeform
Vendors & Products Solspace
Solspace freeform

Fri, 13 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.
Title Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Solspace Freeform
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T15:05:01.855Z

Reserved: 2026-02-11T19:56:24.812Z

Link: CVE-2026-26188

cve-icon Vulnrichment

Updated: 2026-02-13T15:04:57.686Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T23:16:09.760

Modified: 2026-02-20T21:08:10.347

Link: CVE-2026-26188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses