CVE-2024-35191

Published: May 20, 2024Modified: Jun 17, 2026

4.4

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.

Affected (2)

Products: Verbb: Formie

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Verbb Formie	Before 2.0.44
Verbb Formie	From 2.1.0 to 2.1.6

Related CWEs

Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

References (4)

https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

Source: security-advisories@github.com

Patch

https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

Source: security-advisories@github.com

Vendor Advisory

https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.