CVE-2026-54721 Remote code execution via userforms email subject

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: CVE-2026-54721
Versions Affected:: silverstripe/userforms: < 6.4.9 || >= 7.0.0, < 7.0.7 || >= 7.1.0, < 7.1.1
Versions Fixed:: silverstripe/userforms: 6.4.9, 7.0.7, 7.1.1
Release Date:: 2026-06-24

The userform email subject field in the CMS is vulnerable to a specially crafted payload being used to run arbitrary code on the server.

Base CVSS: 8.8
Reported by: Jack Wallace from Bastion Security