In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| barrelstrength/sprout-base-email(Packagist) | 0 | 1.2.7 | N/A |
| barrelstrength/sprout-forms(Packagist) | 0 | 3.9.0 | N/A |
CVSS Metrics
