Primary

Context

Formie Craft CMS Plugin Unauthenticated Submission Editing Vulnerability

Vulnerability

Patched

A vulnerability in the Formie Craft CMS plugin, affecting versions prior to 2.2.21 and 3.1.26, allows unauthenticated users to modify existing form submissions. This is achieved by sending a known or guessed submission ID to the 'formie/submissions/save-submission' endpoint. The issue arises from insufficient access controls, enabling unauthorized manipulation of submission data.

Impact

Exploitation of this vulnerability allows for unauthorized modification of form submissions, potentially leading to data integrity issues.

Remediation

Users can upgrade to Formie version 2.2.21 or 3.1.26, both of which include the necessary patch. Alternatively, unauthenticated access to the 'actions/formie/submissions/save-submission' endpoint can be blocked, or front-end submission editing can be disabled or customized until the plugin is updated.

Added: May 29, 2026, 8:24 PM

Updated: May 29, 2026, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Formie Craft CMS Plugin Unauthenticated Submission Editing Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Verbb Formie

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating