CVE-2026-47266 HIGH

CVE-2026-47266: Formie: Unauthenticated front-end submission editing can overwrite existing submissions

Vendor Verbb
Product formie
Weakness CWE-639 · IDOR
Published May 29, 2026
Last update May 29, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated