Description
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from incomplete sanitization of return URLs in Craft CMS. The implemented strip_tags() call removes only angle‐bracketed HTML tags but does not filter URL schemes, allowing payloads such as javascript:alert(document.cookie) to survive. When the unsanitized return URL is later rendered in an href attribute, a reflected XSS attack can be triggered, leading to the execution of arbitrary JavaScript in the victim’s browser, which may compromise confidentiality of user data, hijack sessions, or perform other malicious actions. The weakness is identified as CWE-116 (Improper Encoding for Output) and CWE-79 (Improper Neutralization of Input).

Affected Systems

The affected product is Craft CMS (craftcms:cms). All releases prior to the patch versions 5.9.7 and 4.17.3 contain the vulnerability. Updates to these or later versions contain the correct sanitization mechanism.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium to high severity, while the EPSS score is below 1%, signifying a low probability of real‑world exploitation at the time of assessment. The alert is not listed in CISA’s KEV catalog. The attack vector is user‑controlled: an adversary can embed a malicious return URL in a link or redirect, and a victim who clicks the link will trigger the XSS payload. The requirement for user interaction and the fact that the attack occurs only when the return URL is rendered in an HTML attribute are key factors that modestly reduce overall risk but do not eliminate it.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch v5.9.7 or v4.17.3 (or any newer release) to eliminate the vulnerable return URL handling.

Generated by OpenCVE AI on March 17, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fvwq-45qv-xvhv CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
Title Craft has Reflective XSS via incomplete return URL sanitization
Weaknesses CWE-116
CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:00:23.631Z

Reserved: 2026-03-09T19:02:25.012Z

Link: CVE-2026-31859

cve-icon Vulnrichment

Updated: 2026-03-12T14:00:16.047Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:24.710

Modified: 2026-03-17T14:03:57.187

Link: CVE-2026-31859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:11Z

Weaknesses