Unauthorized Submission Modification in Craft CMS Plugin by Verbb
CVE-2026-47266
8.7HIGH
What is CVE-2026-47266?
The Formie plugin for Craft CMS is prone to a vulnerability that allows unauthenticated users to modify existing form submissions. This occurs when users post a known or guessed submission ID, which can be exploited through the endpoint formie/submissions/save-submission. This issue has been addressed in versions 2.2.21 and 3.1.26, where necessary protections have been implemented to prevent unauthorized access.
Affected Version(s)
formie < 2.2.21 < 2.2.21
formie >= 3.0.0-beta.1, < 3.1.26 < 3.0.0-beta.1, 3.1.26