Voozh

formie's unauthenticated front-end submission editing can overwrite existing submissions

High severity GitHub Reviewed Published in verbb/formie • Updated

Package

verbb/formie (Composer)

Affected versions

>= 3.0.0, < 3.1.26

< 2.2.21

Patched versions

3.1.26

2.2.21

Description

Impact

Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission.

Patches

2.2.21, 3.1.26

Workarounds

Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submission editing until patched.

Credit

formie extends many thanks to:

Florian (Cyber Security Engineer, arcade solutions ag)
Contact: security@arcade.ch

References

👁 @engram-design
engram-design published to verbb/formie

Published by the National Vulnerability Database

Published to the GitHub Advisory Database

Reviewed

Last updated

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality None

Integrity High

Availability None

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS score

(23rd percentile)

Weaknesses

CVE ID

CVE-2026-47266

GHSA ID

GHSA-pgxq-p76c-x9cg

Source code

verbb/formie

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-pgxq-p76c-x9cg

⇱ formie's unauthenticated front-end submission editing can overwrite existing submissions · CVE-2026-47266 · GitHub Advisory Database · GitHub