CVE-2024-35191

MEDIUM Year: 2024
CVSS v3 Score
4.4
Medium
Weakness Type
CWE-1336
View all →

Vulnerability Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.

Related Vulnerabilities

CVE-2025-23376

MEDIUM
CVSS:4.4(Medium)

Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. A high privileged attacker ...

CWE-13362025

CVE-2022-27662

MEDIUM
CVSS:4.8(Medium)

On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration ...

CWE-13362022

CVE-2022-0323

MEDIUM
CVSS:5.3(Medium)

Improper Neutralization of Special Elements Used in a Template Engine in Packagist mustache/mustache prior to 2.14.1.

CWE-13362022

CVE-2025-26865

LOW
CVSS:3.5(Low)

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 ...

CWE-13362025

CVE-2023-6709

CRITICAL
CVSS:10.0(Critical)

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CWE-13362023

CVE-2024-32651

CRITICAL
CVSS:10.0(Critical)

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote...

CWE-13362024