CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52889

criticalCVSS 9.8covered by 1 sourcefirst seen 2026-07-06
Summary Formie Hidden fields could evaluate request-derived values as Twig during front-end form rendering. When a Hidden field used a dynamic default value such as HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value, the value was copied from the incoming request and later passed to Craft’s Twig rendering layer. This allowed an unauthenticated attacker to provide Twig syntax in request-controlled input and have it evaluated server-side when the form was rendered. Affected Versions verbb/formie for Craft 5: - Affected: >= 3.0.0-beta.1, <= 3.1.26 - Patched: 3.1.27 Impact An unauthenticated attacker could trigger server-side template evaluation by visiting a public form containing a Hidden field configured with a request-derived default value. Because Craft’s normal Twig environment exposes application objects, this may lead to disclosure of sensitive information, modification of application state, or remote code execution depending on the site configuration and available Twig capabilities. Technical Details The issue exists in the Hidden field front-end render path. Request-derived Hidden field defaults were assigned to the field’s defaultValue, then rendered via Twig in Hidden::getFrontEndInputOptions(). The fix ensures Twig rendering is only performed for the custom default option, where the template source is admin-authored. Request-derived default options are now treated as plain strings. Patches Update to Formie 3.1.27 or later. Workarounds Until patched, avoid using request-derived Hidden field defaults on public forms, including: - HTTP User Agent - HTTP Refer URL - Current URL - Current URL without Query String - Query Parameter - Cookie Value Alternatively, remove affected Hidden fields from public forms until the update is applied. Credit Name: Yanchon918s Email: ao9s@ao9s.net

⚡ Watch CVE-2026-52889

Get an email if CVE-2026-52889 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52889

CVE.org record

Embed the live status

CVE-2026-52889 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52889 status](https://www.csirts.com/badge/CVE-2026-52889)](https://www.csirts.com/cve/CVE-2026-52889)