CVE-2026-26188

low-risk

Published 2026-02-12

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Freeform

Affected Vendors

Solspace

References (3)

Patch https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd...

Product https://github.com/solspace/craft-freeform/releases/tag/v5.14.7

Exploit https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pw...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal