Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

The vulnerability stems from the insecure rendering of user-controlled form labels and integration metadata using dangerouslySetInnerHTML without proper sanitization. An attacker can craft malicious form submissions containing JavaScript payloads. When an administrator views the form builder or integration screens in the Craft CP, this payload executes in their browser context. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Craft CMS administration interface. The attacker's ability to inject arbitrary JavaScript grants them a significant level of control within the CP, potentially allowing them to compromise the entire Craft CMS installation if further exploits are chained.

Organizations using Craft CMS with the solspace/craft-freeform plugin, particularly those with multiple administrators or users who have the ability to create and edit forms, are at risk. Shared hosting environments where multiple Craft CMS installations share the same server resources could also be affected if one installation is compromised.

• wordpress / composer / npm:

grep -r "dangerouslySetInnerHTML" /path/to/craft-freeform/

• generic web:

curl -I https://your-craft-site.com/admin/actions/forms/builder | grep -i 'X-XSS-Protection'

1. 2026-01-22Disclosure

   disclosure

Laatste update

5.15.13recent

1. Gereserveerd2026-02-11
2. Gepubliceerd2026-01-22
3. Gewijzigd2026-02-13
4. EPSS bijgewerkt2026-03-23

The primary mitigation for CVE-2026-26188 is to immediately upgrade to solspace/craft-freeform version 5.14.7 or later. This version includes the necessary sanitization fixes to prevent the XSS vulnerability. If upgrading is not immediately feasible, consider restricting access to the form builder and integration screens to only trusted administrators. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious HTML/JavaScript injection attempts can provide an additional layer of defense. Thoroughly review and sanitize all user-submitted data within your Craft CMS forms, even after upgrading, to ensure best practices are followed.