Impact
Craft CMS versions starting with 5.0.0‑RC1 render user group names in the User Permissions page without proper HTML escaping. An attacker who has administrative privileges can embed arbitrary JavaScript into a user group name. When other users view or edit the permissions, the injected script executes in their browsers, potentially allowing the attacker to steal session cookies, deface content, or execute further malicious actions. This is a classic stored XSS flaw classified as CWE‑79, directly impacting the confidentiality and integrity of user data and the availability of the CMS interface for affected users.
Affected Systems
The vulnerability appears in Craft CMS from version 5.0.0‑RC1 and later. The affected product is the Craft CMS content management system issued by Craft CMS, Inc. Users running any version of the CMS that includes the unescaped user group name rendering are at risk.
Risk and Exploitability
The CVSS score of 4.6 indicates a moderate severity. No EPSS data is available, so the current likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attack requires administrative access to the CMS; therefore, only privileged users can deploy the exploit. If an attacker can gain admin rights—through credential compromise, social engineering, or previously established backdoors—they can deliver the malicious script, which then runs via the victim's browser whenever the permissions page is viewed or edited.
OpenCVE Enrichment