VulnCheck KEV: CVE-2026-8206

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

WordPress Kirki – Freeform Page Builder, Website Builder & Customizer plugin <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Form Submission Data Exposure vulnerability discovered by Z3no in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions = 6.0.6...

CVE-2026-26188

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are...

CVE-2026-26188 Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are...

EUVD-2026-3782

Freeform Craft Plugin CP UI builder/integrations has Stored Cross-Site Scripting XSS issue...

GHSA-JP3Q-WWP3-PWV9 Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Summary An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to store...

Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Summary An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to store...

GHSA-RWR8-XRPW-9QF5 solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

Summary The latest versions of both 4.x and 5.x are using Axios versions 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js...

solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

Summary The latest versions of both 4.x and 5.x are using Axios versions 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js...

GHSA-58Q2-9X27-H2JM solspace/craft-freeform Has a DoS Vulnerability

Summary Freeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion CVE-2025-58754. Freeform version: 4.1.29 Craft CMS version: 4.16.8 Impact When Axios runs on Node.js and is given a URL with the data...

solspace/craft-freeform Has a DoS Vulnerability

Summary Freeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion CVE-2025-58754. Freeform version: 4.1.29 Craft CMS version: 4.16.8 Impact When Axios runs on Node.js and is given a URL with the data...

PT-2026-4737

Summary The latest versions of both 4.x and 5.x are using Axios versions 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios Details We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js...

EUVD-2025-25900

Malicious code in bioql PyPI...

GHSA-9HP3-F5G8-RCCG The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

CVE-2025-52122

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

CVE-2025-52122

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

CVE-2025-52122

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

CVE-2025-52122

Summary : CVE-2025-52122 affects the Freeform CraftCMS plugin. Vulnerable versions : Freeform 5.0.0 up to (but not including) 5.10.16. Root cause : Server-side template injection (SSTI) in Freeform allows arbitrary code execution. Impact : All users with access to editing a form submission title ...

CVE-2025-52122

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...