Josh Crawford

2 exploits Active since May 2024
CVE-2026-45697 WRITEUP CRITICAL WRITEUP
Formie: Pre-authenticated server-side template injection in Hidden fields
Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24.
CVSS 9.8
CVE-2024-35191 WRITEUP MEDIUM WRITEUP
Formie < 2.0.44 and 2.1.0-2.1.5 - Authenticated Server-Side Template Injection via Submission Title or Success Message
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
CVSS 4.4