Description
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Stored XSS
Action: Immediate Patch
AI Analysis

Impact

Craft CMS is a content management platform that incorporates a revision or draft context menu in the element editor. A low‑privileged user with access to the control panel can set the fullName field in their profile to a malicious XSS payload. Because the system returns that name as raw HTML, the payload is stored in the database. When a privileged administrator subsequently opens a page that renders the menu, the stored script executes with administrative privileges, effectively elevating the attacker’s account.

Affected Systems

Craft CMS versions 5.9.0‑beta.1 through 5.9.10 are vulnerable. The flaw was addressed in release 5.9.11, and later releases do not include this issue.

Risk and Exploitability

Based on the description, it is inferred that exploitation requires a low‑privileged user to first submit the malicious fullName, then an administrator to be actively logged in when the menu is rendered. The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1 % suggests a low probability of real‑world exploitation. This vulnerability is not listed in the CISA KEV catalog. The attack vector is a stored XSS that is executed within an elevated session during rendering of the context menu.

Generated by OpenCVE AI on March 20, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.11 or later.

Generated by OpenCVE AI on March 20, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3x4w-mxpf-fhqq Craft CMS Vulnerable to Stored XSS in Revision Context Menu
History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Fri, 20 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
Title Craft CMS Vulnerable to Stored XSS in Revision Context Menu
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:53:57.615Z

Reserved: 2026-03-17T18:10:50.212Z

Link: CVE-2026-33051

cve-icon Vulnrichment

Updated: 2026-03-24T01:53:52.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:12.830

Modified: 2026-03-20T19:37:28.587

Link: CVE-2026-33051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:17Z

Weaknesses