Platform
php
Component
solspace/craft-freeform
Fixed in
5.0.1
5.14.7
CVE-2026-26188 describes a Cross-Site Scripting (XSS) vulnerability within the solspace/craft-freeform plugin for Craft CMS. This vulnerability allows authenticated, low-privilege users—those capable of creating or editing forms—to inject arbitrary HTML and JavaScript code. The impact is primarily limited to the Craft CMS Control Panel (CP), specifically affecting admin users who view form builder and integration screens. The vulnerability affects versions of solspace/craft-freeform up to and including 5.9.9, with a fix available in version 5.14.7.
The vulnerability stems from the insecure rendering of user-controlled form labels and integration metadata using dangerouslySetInnerHTML without proper sanitization. An attacker can craft malicious form submissions containing JavaScript payloads. When an administrator views the form builder or integration screens in the Craft CP, this payload executes in their browser context. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Craft CMS administration interface. The attacker's ability to inject arbitrary JavaScript grants them a significant level of control within the CP, potentially allowing them to compromise the entire Craft CMS installation if further exploits are chained.
CVE-2026-26188 was publicly disclosed on January 22, 2026. While no active exploitation campaigns have been publicly reported at the time of writing, the ease of exploitation and the potential impact make it a likely target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are expected to emerge as the vulnerability gains wider awareness.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-26188 is to immediately upgrade to solspace/craft-freeform version 5.14.7 or later. This version includes the necessary sanitization fixes to prevent the XSS vulnerability. If upgrading is not immediately feasible, consider restricting access to the form builder and integration screens to only trusted administrators. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious HTML/JavaScript injection attempts can provide an additional layer of defense. Thoroughly review and sanitize all user-submitted data within your Craft CMS forms, even after upgrading, to ensure best practices are followed.
Update the Solspace Freeform plugin to version 5.14.7 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerability. The update can be performed through the Craft CMS control panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26188 is a Cross-Site Scripting (XSS) vulnerability in the solspace/craft-freeform plugin for Craft CMS, allowing authenticated users to inject malicious code into the admin panel.
You are affected if you are using solspace/craft-freeform version 5.9.9 or earlier. Check your plugin versions and upgrade immediately.
Upgrade to solspace/craft-freeform version 5.14.7 or later to patch the vulnerability. This resolves the insecure rendering of user-controlled data.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the solspace website and Craft CMS security advisories for the official announcement and details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.