Stored XSS in Freeform Craft Plugin Control Panel – security advisory published

[Pr4v33N-Sec]

How can we help you?

Dear Solspace team,

I reported and published a security advisory for a stored Cross-Site Scripting (XSS) vulnerability in the Freeform Craft plugin affecting the Control Panel (builder / integrations UI).

The advisory has already been published via GitHub Security Advisories and includes:

• Clear attack scenario
• Reproducible PoCs (form label & integration metadata vectors)
• Impact assessment (admin CP context)
• Affected versions and remediation guidance

Advisory link:
GHSA-jp3q-wwp3-pwv9

I’ve opened this discussion to:

1. Confirm maintainers are aware of the published advisory
2. Coordinate on CVE assignment (I’ve requested a CVE via GitHub’s CNA process)
3. Answer any technical questions or provide additional validation if needed

Please let me know if you’d like:

• Additional PoC details
• Verification against a specific Freeform / Craft version
• Help validating the fix once available

Thanks for your time and for maintaining Freeform.

Freeform Edition

Pro

Freeform Version

<= 5.14.6

Craft Version

<= 5.14.6

[Pr4v33N-Sec]

@timkelty @leevigraham @brandonkelly @angrybrad

[kjmartens]

@Prav33N-Sec this has been addressed. It's been published and resolved in a fixed version of Freeform (5.14.7+). 🙂

[Pr4v33N-Sec]

Thanks for the quick resolution and for releasing the patched version (5.14.7+), really appreciate the responsiveness.

Since this issue has now been publicly disclosed and fixed, would you be open to requesting a CVE ID for tracking and reference purposes? @kjmartens

[kjmartens]

Ok, I'll do that