CVE-2026-47266: formie's unauthenticated front-end submission editing can overwrite existing submissions

Impact Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. Patches [2.2.21](https://github.com/verbb/formie/releases/tag/2.2.21), [3…

7.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-47266
Vendor	composer
Affected Product	verbb/formie
Vulnerability Type	Vulnerability
CVSS Score	7.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Impact

Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission.

Patches

[2.2.21](https://github.com/verbb/formie/releases/tag/2.2.21), [3.1.26](https://github.com/verbb/formie/releases/tag/3.1.26)

Workarounds

Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submission editing until patched.

Credit

• Florian (Cyber Security Engineer, arcade solutions ag)

• Contact: [security@arcade.ch](mailto:security@arcade.ch)

formie extends many thanks to:

🎯 Known Indicators of Compromise

{"type":"url","value":"https://github.com/verbb/formie/releases/tag/2.2.21),","confidence_score":0.82,"first_seen":"2026-05-29","source_count":1} {"type":"url","value":"https://github.com/verbb/formie/releases/tag/3.1.26)","confidence_score":0.82,"first_seen":"2026-05-29","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-47266 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →