{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26188", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-11T19:56:24.812Z", "datePublished": "2026-02-12T22:55:19.859Z", "dateUpdated": "2026-02-13T15:05:01.855Z"}, "containers": {"cna": {"title": "Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9"}, {"name": "https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e", "tags": ["x_refsource_MISC"], "url": "https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e"}, {"name": "https://github.com/solspace/craft-freeform/releases/tag/v5.14.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/solspace/craft-freeform/releases/tag/v5.14.7"}], "affected": [{"vendor": "solspace", "product": "craft-freeform", "versions": [{"version": ">= 5.0.0, < 5.14.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T22:55:19.859Z"}, "descriptions": [{"lang": "en", "value": "Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7."}], "source": {"advisory": "GHSA-jp3q-wwp3-pwv9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T15:04:51.639148Z", "id": "CVE-2026-26188", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T15:05:01.855Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26188", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T15:04:51.639148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T15:04:57.686Z"}}], "cna": {"title": "Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)", "source": {"advisory": "GHSA-jp3q-wwp3-pwv9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "solspace", "product": "craft-freeform", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.14.7"}]}], "references": [{"url": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9", "name": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e", "name": "https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/solspace/craft-freeform/releases/tag/v5.14.7", "name": "https://github.com/solspace/craft-freeform/releases/tag/v5.14.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T22:55:19.859Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26188", "state": "PUBLISHED", "dateUpdated": "2026-02-13T15:05:01.855Z", "dateReserved": "2026-02-11T19:56:24.812Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T22:55:19.859Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solspace:freeform:*:*:*:*:*:craft_cms:*:*", "matchCriteriaId": "36F61891-6F61-4D3D-BACF-D1835425BEF6", "versionEndExcluding": "5.14.7", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7."}, {"lang": "es", "value": "El plugin Solspace Freeform para Craft CMS 5.x es una herramienta de creaci\u00f3n de formularios s\u00faper flexible. Un usuario autenticado y con bajos privilegios (capaz de crear/editar formularios) puede inyectar HTML/JS arbitrario en las vistas del constructor y de integraciones del Panel de Control (CP) de Craft. Las etiquetas de formulario controladas por el usuario y los metadatos de integraci\u00f3n se renderizan con dangerouslySetInnerHTML sin sanitizaci\u00f3n, lo que lleva a un XSS almacenado que se ejecuta cuando cualquier administrador ve las pantallas del constructor/integraci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 5.14.7."}], "id": "CVE-2026-26188", "lastModified": "2026-02-20T21:08:10.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T23:16:09.760", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/solspace/craft-freeform/releases/tag/v5.14.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.14.7)"}}], "product": "freeform", "vendor": "solspace"}], "analysis": {"en": {"generated_at": "2026-04-17T19:55:14.456867+00:00", "value": {"mitigation_remediation": ["Upgrade Solspace Freeform to version 5.14.7 or later", "Restrict form creation and editing permissions to trusted users or remove those rights for low\u2011privilege roles", "Implement a Content Security Policy that blocks execution of inline scripts to reduce the impact of any residual XSS inputs"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting in Craft CMS Freeform Control Panel"}, "threat_synthesis": {"affected_systems": "All versions of the Solspace Freeform plugin for Craft CMS 5.x released before version 5.14.7 are affected, regardless of the specific minor revision. Users should verify that they are running the approved version and apply updates accordingly.", "description_and_impact": "Authenticated users with only form creation or editing rights can embed custom HTML or JavaScript inside form labels and integration metadata, which are rendered through a framework function that allows raw HTML injection without sanitization. When any administrator views the form builder or integration screens, the injected code executes in the context of the administrator\u2019s browser, providing a stored XSS vector that can perform actions such as credential theft or session hijacking. This vulnerability is classified as a stored cross\u2011site scripting weakness.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.1, indicating a moderate severity, and an EPSS score below 1\u202f%, which reflects a very low probability of exploitation at present. The exploit requires authenticated access with permission to create or edit forms; therefore, the attack is limited to users who already possess some level of control over the form system, and the impact is confined to the Pantheon Control Panel interface where the malicious content is rendered."}}}}, "created": "2026-02-13T21:28:55.522533+00:00", "updated": "2026-04-17T20:00:09.029518+00:00", "vendors": ["solspace", "solspace$PRODUCT$freeform"]}