Fixed
- Fixed a security vulnerability in the
locutusdependency (CVE-2026-25521, CVE-2026-33994). (#2876) - Fixed required Payment fields being validated and processed on intermediate multi-page form submissions. (#2873)
- Fixed a validation error being raised for conditionally-hidden sub-fields in a Repeater when the same field was visible in another row. (#2874)
- Fixed conditionally-hidden fields inside a Repeater not being revealed when they have a validation error on Ajax forms with a Stripe payment field. (#2875)
- Fixed missing authorization for
integrations/form-settings, which could allow SSRF and exposure of integration credentials. - Fixed missing authorization when resuming incomplete submissions via the
submitaction. - Fixed missing authorization for
sent-notifications/get-resend-modal-content. - Fixed
save-submissionallowing anonymous submission creation and accepting sensitive parameters from front-end requests. - Fixed an XSS vulnerability for importing forms with manipulated form title, handle, or notification name content.
- Fix migration failure when Typed Link is installed by adding
__toString()to Formie fields. - Fix required File Upload fields inside Repeaters breaking Stripe payment resubmits..