CVE-2026-26188

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e	Patch
https://github.com/solspace/craft-freeform/releases/tag/v5.14.7	Product Release Notes
https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:solspace:freeform:*:*:*:*:*:craft_cms:*:*

History

20 Feb 2026, 21:08

Type	Values Removed	Values Added
Summary		(es) El plugin Solspace Freeform para Craft CMS 5.x es una herramienta de creación de formularios súper flexible. Un usuario autenticado y con bajos privilegios (capaz de crear/editar formularios) puede inyectar HTML/JS arbitrario en las vistas del constructor y de integraciones del Panel de Control (CP) de Craft. Las etiquetas de formulario controladas por el usuario y los metadatos de integración se renderizan con dangerouslySetInnerHTML sin sanitización, lo que lleva a un XSS almacenado que se ejecuta cuando cualquier administrador ve las pantallas del constructor/integración. Esta vulnerabilidad está corregida en la versión 5.14.7.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Solspace Solspace freeform
CPE		cpe:2.3:a:solspace:freeform::::::craft_cms::*
References	~~() https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e -~~	() https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e - Patch
References	~~() https://github.com/solspace/craft-freeform/releases/tag/v5.14.7 -~~	() https://github.com/solspace/craft-freeform/releases/tag/v5.14.7 - Product, Release Notes
References	~~() https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9 -~~	() https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9 - Exploit, Vendor Advisory

12 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 23:16

Updated : 2026-02-20 21:08

NVD link : CVE-2026-26188

Mitre link : CVE-2026-26188

CVE.ORG link : CVE-2026-26188

JSON object : View

Products Affected

solspace

freeform

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10