CVE-2026-47266 | THREATINT

Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

PUBLISHED Reserved 2026-05-18 | Published 2026-05-29 | Updated 2026-05-29 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 2.2.21

affected

>= 3.0.0-beta.1, < 3.1.26

affected

References

github.com/...formie/security/advisories/GHSA-pgxq-p76c-x9cg

github.com/verbb/formie/releases/tag/2.2.21

github.com/verbb/formie/releases/tag/3.1.26

cve.org (CVE-2026-47266)

nvd.nist.gov (CVE-2026-47266)

Download JSON