Headline
GHSA-rwr8-xrpw-9qf5: solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets
Summary
The latest versions of both 4.x and 5.x are using Axios versions < 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios
Details
We’ve had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js. I couldn’t see any reference to vulnerable axios versions in your package.json files, but noticed some precompiled files in packages/plugin so I’m assuming those are where the issue lies.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-rwr8-xrpw-9qf5
solspace/craft-freeform Exposed to Known Axios Vulnerabilities via Precompiled Assets
Low severity GitHub Reviewed Published Jan 15, 2026 in solspace/craft-freeform • Updated Jan 15, 2026
Package
composer solspace/craft-freeform (Composer)
Affected versions
< 4.1.22
>= 5.0.0-beta.1, < 5.5.9
Patched versions
4.1.22
5.5.9
Summary
The latest versions of both 4.x and 5.x are using Axios versions < 1.7.5 and as such are subject to known vulnerabilities as per: https://security.snyk.io/package/npm/axios
Details
We’ve had this flagged up in a pen test, which indicates the issue stems from this script: /freeform/plugin.js. I couldn’t see any reference to vulnerable axios versions in your package.json files, but noticed some precompiled files in packages/plugin so I’m assuming those are where the issue lies.
References
- GHSA-rwr8-xrpw-9qf5
Published to the GitHub Advisory Database
Jan 15, 2026
Last updated
Jan 15, 2026