Description
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
Published: 2026-06-21
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS versions starting with 5.0.0‑RC1 render user group names in the User Permissions page without proper HTML escaping. An attacker who has administrative privileges can embed arbitrary JavaScript into a user group name. When other users view or edit the permissions, the injected script executes in their browsers, potentially allowing the attacker to steal session cookies, deface content, or execute further malicious actions. This is a classic stored XSS flaw classified as CWE‑79, directly impacting the confidentiality and integrity of user data and the availability of the CMS interface for affected users.

Affected Systems

The vulnerability appears in Craft CMS from version 5.0.0‑RC1 and later. The affected product is the Craft CMS content management system issued by Craft CMS, Inc. Users running any version of the CMS that includes the unescaped user group name rendering are at risk.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. No EPSS data is available, so the current likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attack requires administrative access to the CMS; therefore, only privileged users can deploy the exploit. If an attacker can gain admin rights—through credential compromise, social engineering, or previously established backdoors—they can deliver the malicious script, which then runs via the victim's browser whenever the permissions page is viewed or edited.

Generated by OpenCVE AI on June 21, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to the latest version that removes the unescaped rendering of user group names.
  • If an immediate upgrade is not possible, restrict administrative privileges to only trusted accounts and apply the principle of least privilege to limit exposure.
  • As a temporary workaround, manually sanitize existing user group names by removing special characters such as <, >, & and any script tags, or configure the CMS to escape output for the User Permissions page when displaying group names.

Generated by OpenCVE AI on June 21, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
Title Craft CMS - Stored XSS via User Group Name in User Permissions Page
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-79
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T02:48:37.589Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56381

cve-icon Vulnrichment

Updated: 2026-06-23T02:48:32.314Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')