Description
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Formie is a Craft CMS plugin that allows front‑end submission creation. An unauthenticated attack can alter any existing submission by sending a known or guessed submission ID to the /submissions/save-submission endpoint. This results in unauthorized change of data, a breach of data integrity, and potential exposure of sensitive form content. The weakness is a CWE‑639 unauthorized user access flaw.

Affected Systems

The vulnerability affects installations of verbb:formie before version 2.2.21 and before version 3.1.26, i.e., any Formie plugin on Craft CMS that has not been updated to at least 2.2.21 or 3.1.26.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Because the EPSS score is not provided, the likelihood of exploitation is unknown, but the vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited yet. The likely attack vector is an unauthenticated HTTP POST to the vulnerable endpoint and relies on knowledge of a valid submission ID. If an attacker can guess or discover a submission ID, they can overwrite the data of any existing entry.

Generated by OpenCVE AI on May 29, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Formie to version 2.2.21 or newer on Craft CMS installations.
  • If immediate upgrade is not possible, restrict unauthenticated POST access to the /submissions/save-submission endpoint via web‑server rules or firewall settings.
  • Monitor web logs for abnormal submission edits.

Generated by OpenCVE AI on May 29, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pgxq-p76c-x9cg formie's unauthenticated front-end submission editing can overwrite existing submissions
History

Fri, 29 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Verbb
Verbb formie
Vendors & Products Verbb
Verbb formie

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.
Title Formie: Unauthenticated front-end submission editing can overwrite existing submissions
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Verbb Formie
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T21:37:23.087Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47266

cve-icon Vulnrichment

Updated: 2026-05-29T21:37:19.376Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:28.520

Modified: 2026-05-29T20:21:38.773

Link: CVE-2026-47266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:00:09Z

Weaknesses