verbb/formie Security Advisories for 1.6.17 (5)
-
[HIGH] formie's unauthenticated front-end submission editing can overwrite existing submissions
PKSA-2h9w-qq3j-93vt CVE-2026-47266 GHSA-pgxq-p76c-x9cg
Affected version: <2.2.21|>=3.0.0,<3.1.26
Reported by:
GitHub -
[CRITICAL] Formie: Pre-authenticated server-side template injection in Hidden fields
PKSA-snft-3cv8-v5p5 CVE-2026-45697 GHSA-x7m9-mwc2-g6w2
Affected version: <2.2.20|>=3.0.0-beta.1,<3.1.24
Reported by:
GitHub -
[MEDIUM] Formie has XSS vulnerability for email notification content for preview
PKSA-q8g8-6f85-c3mh CVE-2025-32426 GHSA-2xm2-23ff-p8ww
Affected version: <=2.1.43
Reported by:
GitHub -
[MEDIUM] Formie has XSS vulnerability for importing forms
PKSA-m8j6-b24d-gz5q CVE-2025-32427 GHSA-p9hh-mh5x-wvx3
Affected version: <=2.1.43
Reported by:
GitHub -
[MEDIUM] verbb/formie Server-Side Template Injection for variable-enabled settings
PKSA-vzbr-51wf-rdg1 CVE-2024-35191 GHSA-v45m-hxqp-fwf5
Affected version: <2.1.6
Reported by:
GitHub