formie's unauthenticated front-end submission editing can overwrite existing submissions · CVE-2026-47266 · GitHub Advisory Database · GitHub

formie's unauthenticated front-end submission editing can overwrite existing submissions

High severity GitHub Reviewed Published May 19, 2026 in verbb/formie • Updated May 29, 2026

Package

verbb/formie (Composer)

Affected versions

>= 3.0.0, < 3.1.26

< 2.2.21

Patched versions

3.1.26

2.2.21

Description

Impact

Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission.

Patches

Workarounds

Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submission editing until patched.

Credit

formie extends many thanks to:

Florian (Cyber Security Engineer, arcade solutions ag)
Contact: security@arcade.ch

References

engram-design published to verbb/formie

May 19, 2026

Published by the National Vulnerability Database

May 29, 2026

Published to the GitHub Advisory Database May 29, 2026

Reviewed May 29, 2026

Last updated May 29, 2026

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality None

Integrity High

Availability None

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X