Skip to content

solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets

Low severity GitHub Reviewed Published Jan 15, 2026 in solspace/craft-freeform • Updated Jan 15, 2026

Package

composer solspace/craft-freeform (Composer)

Affected versions

< 4.1.22
>= 5.0.0-beta.1, < 5.5.9

Patched versions

4.1.22
5.5.9

Description

Summary

The latest versions of both 4.x and 5.x are using Axios versions < 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios

Details

We've had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js. I couldn't see any reference to vulnerable axios versions in your package.json files, but noticed some precompiled files in packages/plugin so I'm assuming those are where the issue lies.

References

@kjmartens kjmartens published to solspace/craft-freeform Jan 15, 2026
Published to the GitHub Advisory Database Jan 15, 2026
Reviewed Jan 15, 2026
Last updated Jan 15, 2026

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-rwr8-xrpw-9qf5

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.