Auth bypass in Verbb Formie

CVE-2026-47266

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is f…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (18.5th percentile) — read the EPSS interpretation.

Affected products

Verbb Formie — versions < 2.2.21, >= 3.0.0-beta.1, < 3.1.26

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)