Cross-site Scripting (XSS)

Overview solspace/craft-freeform is a flexible and user-friendly form building plugin! Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the use of the dangerouslySetInnerHTML function in various client and plugin page components. An attacker can execute arbitrar...

CVE-2026-26188

creationtimestamp| type| source ---|---|--- 2026-01-22 20:23:37+00:00| published-proof-of-concept| https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9...

GHSA-RWR8-XRPW-9QF5 solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

Summary The latest versions of both 4.x and 5.x are using Axios versions 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js...

solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

Summary The latest versions of both 4.x and 5.x are using Axios versions 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js...

EUVD-2026-2734

solspace/craft-freeform Has a DoS Vulnerability...

Server-Side Template Injection

solspace/craft-freeform is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to improper input handling because the submission title field in forms allows arbitrary code injection when edited by users with form editing access...

Server-Side Template Injection

Overview solspace/craft-freeform is a flexible and user-friendly form building plugin! Affected versions of this package are vulnerable to Server-Side Template Injection via the submission's title variable. An attacker can execute arbitrary code on the server by injecting malicious templates when...