CVE-2026-26188

MEDIUM EPSS 16.5%
Published Feb 12, 20264mo ago · Modified Jun 17, 20262w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Feb 12, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
16.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
solspacefreeform*≥5.0.0  –  <5.14.7

References 3

  • github.com https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e
    Patch
  • github.com https://github.com/solspace/craft-freeform/releases/tag/v5.14.7
    ProductRelease Notes
  • github.com https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e
    Patch