Freeform, Free Execution: Stored XSS in Craft CMS's Favorite Form Builder
Jan 22, 2026·6 min read·5 visits
Executive Summary (TL;DR)
The Solspace Freeform plugin (versions <= 5.14.6) for Craft CMS contains a Stored XSS vulnerability in its Form Builder and Integrations views. Because the plugin renders user-controlled labels and SVG icons using React's `dangerouslySetInnerHTML` without sanitization, an attacker with basic 'edit form' permissions can inject malicious JavaScript. When an administrator views the compromised form builder, the script executes, leading to session hijacking and potential full site takeover.
A high-severity Stored Cross-Site Scripting (XSS) vulnerability in the Solspace Freeform plugin for Craft CMS allows low-privileged users to hijack administrator sessions via the Control Panel.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
solspace/craft-freeform Solspace | <= 5.14.6 | 5.14.7 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Stored Cross-Site Scripting (XSS) |
| Attack Vector | Network (Authenticated) |
| Severity | High / Critical (Context Dependent) |
| Component | Freeform Control Panel (Form Builder & Integrations) |
| Root Cause | Unsanitized dangerouslySetInnerHTML usage |
| Authentication Required | Yes (Low Privilege) |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.