Skip to content

Commit 5d63da7

Browse files
1 parent d35e904 commit 5d63da7

2 files changed

Lines changed: 118 additions & 0 deletions

File tree

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-565m-g33j-jq96",
4+
"modified": "2026-07-06T16:52:16Z",
5+
"published": "2026-07-06T16:52:16Z",
6+
"aliases": [
7+
"CVE-2026-52889"
8+
],
9+
"summary": "Formie Hidden field defaults vulnerable to Server-Side Template Injection",
10+
"details": "## Summary\nFormie Hidden fields could evaluate request-derived values as Twig during front-end form rendering.\n\nWhen a Hidden field used a dynamic default value such as HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value, the value was copied from the incoming request and later passed to Craft’s Twig rendering layer. This allowed an unauthenticated attacker to provide Twig syntax in request-controlled input and have it evaluated server-side when the form was rendered.\n\n## Affected Versions\n`verbb/formie` for Craft 5:\n- Affected: >= 3.0.0-beta.1, <= 3.1.26\n- Patched: 3.1.27\n\n## Impact\nAn unauthenticated attacker could trigger server-side template evaluation by visiting a public form containing a Hidden field configured with a request-derived default value.\n\nBecause Craft’s normal Twig environment exposes application objects, this may lead to disclosure of sensitive information, modification of application state, or remote code execution depending on the site configuration and available Twig capabilities.\n\n## Technical Details\nThe issue exists in the Hidden field front-end render path. Request-derived Hidden field defaults were assigned to the field’s defaultValue, then rendered via Twig in `Hidden::getFrontEndInputOptions()`.\n\nThe fix ensures Twig rendering is only performed for the custom default option, where the template source is admin-authored. Request-derived default options are now treated as plain strings.\n\n## Patches\nUpdate to Formie 3.1.27 or later.\n\n## Workarounds\nUntil patched, avoid using request-derived Hidden field defaults on public forms, including:\n- HTTP User Agent\n- HTTP Refer URL\n- Current URL\n- Current URL without Query String\n- Query Parameter\n- Cookie Value\n\nAlternatively, remove affected Hidden fields from public forms until the update is applied.\n\n## Credit\nName: Yanchon918s\nEmail: [ao9s@ao9s.net](mailto:ao9s@ao9s.net)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "verbb/formie"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "3.1.27"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/verbb/formie/security/advisories/GHSA-565m-g33j-jq96"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/verbb/formie"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-1336"
51+
],
52+
"severity": "CRITICAL",
53+
"github_reviewed": true,
54+
"github_reviewed_at": "2026-07-06T16:52:16Z",
55+
"nvd_published_at": null
56+
}
57+
}
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-xj53-j257-hxvg",
4+
"modified": "2026-07-06T16:52:35Z",
5+
"published": "2026-07-06T16:52:35Z",
6+
"aliases": [
7+
"CVE-2026-49439"
8+
],
9+
"summary": "OpenRemote read-only asset users can write predicted datapoints",
10+
"details": "# Summary\n\nThe predicted datapoint write endpoint allows users with only `read:assets` privileges to write predicted datapoints.\n\nThe endpoint:\n\n```text\nPUT /api/{realm}/asset/predicted/{assetId}/{attributeName}\n```\n\naccepts write requests from users lacking `write:assets`.\n\nThe implementation appears to check `READ_ASSETS` while performing a write operation through:\n\n```java\nassetPredictedDatapointService.updateValues(...)\n```\n\n# PoC\n\nA user was created with only:\n\n```text\nread:assets\n```\n\nand without `write:assets`.\n\nThe following request succeeded:\n\n```http\nPUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperature\n```\n\nRequest body:\n\n```json\n[{\"x\":1779199999001,\"y\":1337}]\n```\n\nResponse:\n\n```text\nHTTP/2 204\n```\n\nDatabase verification confirmed the datapoint was written successfully:\n\n```text\nentity_id: 4Fr8Pcp7iDjrEmoSUFolvT\nattribute_name: temperature\nvalue: 1337\n```\n\n# Impact\n\nUsers with read-only asset permissions can modify predicted datapoints for assets.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "io.openremote:openremote-manager"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.24.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-xj53-j257-hxvg"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/openremote/openremote/commit/583dbbfb96076ba099be8729ddf506acf9e48325"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/openremote/openremote"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-862"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-07-06T16:52:35Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)