Unauthenticated users can submit crafted values into hidden form fields in Formie, a Craft CMS plugin. These values are interpreted as Twig templates during submission handling, allowing the execution of arbitrary Twig code on the server. This flaw is a classic server‑side template injection (CWE‑1336) that could also lead to the use of eval‑like functions (CWE‑94) or improper data validation (CWE‑693). Depending on the Craft site’s Twig sandbox configuration, an attacker may read or modify sensitive data, create privileged accounts, or gain full control of the application.

The vulnerability affects all versions of the Verbb Formie plugin released before 2.2.20 and 3.1.24. Administrators using earlier releases with any hidden form field configured to accept a custom default value are at risk. The plugin is a third‑party component integrated into Craft CMS sites, so the impact is limited to environments where Formie is installed and enabled.

The CVSS score of 9.8 reflects critical risk, and the EPSS score is not available, making the exact exploitation probability unknown. The likely attack vector is web‑based: an unauthenticated visitor can submit a crafted HTTP request to a form protected by Formie. If the site’s Twig sandbox allows template evaluation, the attacker’s payload can run with the application’s process privileges. Because this vulnerability is not listed in CISA’s KEV catalog, there is no evidence of widespread exploitation yet, but the high severity warrants immediate attention.