ByteOS Network

solspace

Source -

NVDCNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-26188

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-5.1||MEDIUM

EPSS-0.04% / 12.18%

7 Day CHG~0.00%

Published-12 Feb, 2026 | 22:55

Updated-20 Feb, 2026 | 21:08

Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens. This vulnerability is fixed in 5.14.7.

Vendor-solspace solspace

Product-freeform craft-freeform

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-52122

Assigner-MITRE Corporation

View Details

Assigner-MITRE Corporation

CVSS Score-9.8||CRITICAL

EPSS-0.10% / 26.63%

7 Day CHG~0.00%

Published-27 Aug, 2025 | 00:00

Updated-09 Sep, 2025 | 18:53

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

Vendor-solspace n/a

Product-freeform n/a

CWE ID-CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

CWE ID-CWE-94

Improper Control of Generation of Code ('Code Injection')