CVE-2026-26188
📋 TL;DR
The Solspace Freeform plugin for Craft CMS 5.x contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with form creation/edit permissions to inject malicious HTML/JavaScript into the Craft Control Panel. This code executes when administrators view form builder or integration screens, potentially compromising admin sessions. The vulnerability affects all Craft CMS 5.x installations using Freeform plugin versions before 5.14.7.
💻 Affected Systems
- Solspace Freeform plugin for Craft CMS
📦 What is this software?
Freeform by Solspace
⚠️ Risk & Real-World Impact
Worst Case
An attacker with low-privilege access could inject malicious JavaScript that steals admin session cookies, performs actions as administrators, or installs backdoors when admins view compromised forms/integrations.
Likely Case
Attackers with authenticated access could deface the admin interface, steal session tokens, or perform limited administrative actions through XSS payloads.
If Mitigated
With proper access controls limiting who can create/edit forms, the attack surface is reduced, but any compromised low-privilege account could still exploit the vulnerability.
🎯 Exploit Status
Exploitation requires authenticated access with form creation/edit permissions. The vulnerability is in the frontend rendering of user-controlled data without proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.14.7
Vendor Advisory: https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9
Restart Required: No
Instructions:
1. Update the Freeform plugin to version 5.14.7 or later via Craft Plugin Store or Composer. 2. Verify the update completed successfully. 3. Clear any Craft CMS caches if necessary.
🔧 Temporary Workarounds
Restrict form creation permissions
allTemporarily remove 'create/edit forms' permissions from all non-essential users until patching is complete.
Adjust user permissions in Craft CMS Control Panel under Settings → Users
Content Security Policy (CSP)
allImplement a strict CSP header to mitigate XSS impact by restricting script execution sources.
Add Content-Security-Policy header to web server configuration
🧯 If You Can't Patch
- Immediately audit and restrict user permissions to minimize accounts with form creation/edit capabilities
- Implement web application firewall (WAF) rules to detect and block XSS payload patterns in form submissions
🔍 How to Verify
Check if Vulnerable:
Check the Freeform plugin version in Craft CMS Control Panel under Settings → Plugins. If version is below 5.14.7, the system is vulnerable.Check Version:
Check via Craft CMS admin panel or run: composer show solspace/craft-freeformVerify Fix Applied:
After updating, verify the Freeform plugin shows version 5.14.7 or higher in the Craft Control Panel.📡 Detection & Monitoring
Log Indicators:
- Unusual form label modifications containing script tags or JavaScript code
- Multiple form edits from single user in short timeframe
- Admin user sessions accessing forms with suspicious content
Network Indicators:
- HTTP POST requests to form builder endpoints with script tags in payloads
- Outbound connections from admin sessions to unexpected domains
SIEM Query:
source="craft_cms_logs" AND (message="*<script>*" OR message="*javascript:*") AND (path="*/freeform/*" OR component="freeform")