Is solspace/craft-freeform affected by CVE-2026-26188?

Packagist solspace/craft-freeform is affected in >=5.0.0 <5.14.7.

Is CVE-2026-26188 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

low

CVE-2026-26188

Q: Is CVE-2026-26188 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

Packagist · solspace/craft-freeform

Summary

Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Severity: low
EPSS: 0.3% (p16)
Also known as: GHSA-jp3q-wwp3-pwv9
Published: 2026-01-22

References

https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9
https://nvd.nist.gov/vuln/detail/CVE-2026-26188
https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e

Related advisories

CVE-2025-52122 — critical · Packagist/solspace/craft-freeform

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.