Description
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Published: 2026-06-21
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS versions 4.x and 5.x include multiple stored cross‑site scripting flaws where names and labels are rendered without proper escaping. An authenticated administrator with the allowAdminChanges setting enabled can inject malicious JavaScript into section names, field labels, and other configuration values. These payloads execute in the control‑panel context of any user viewing those settings, enabling attackers to hijack sessions, deface the interface, or perform other client‑side attacks. The weakness is a classic stored XSS flaw (CWE‑79).

Affected Systems

The vulnerability applies to Craft CMS (official vendor craftcms) versions 4.0.0‑RC1 through 4.17.0‑beta.1 (exclusive) and 5.0.0‑RC1 through 5.9.0‑beta.1 (exclusive). The fix is delivered in version 4.17.0‑beta.1 and in 5.9.0‑beta.1, so any installation that has not been upgraded to at least those releases remains affected.

Risk and Exploitability

The CVSS score is 4.6, indicating a moderate risk. While the EPSS score is currently unavailable, the flaw can be exploited by any user who has administrative rights, a role that exists in most installations. Because the control‑panel scripts run in the victim’s browser, the exploitation occurs client‑side, but it can lead to session hijacking or unauthorized action. The vulnerability is not listed in the CISA KEV catalog, but it remains a concern due to the high number of installations using Craft CMS 4.x and 5.x.

Generated by OpenCVE AI on June 21, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.0‑beta.1 or later, or 5.9.0‑beta.1 or later.
  • If an upgrade is not immediately possible, disable the allowAdminChanges setting or restrict it to trusted administrators to prevent injection via configuration changes.
  • Review all existing section names, volume names, user group names, global set names, and field option labels for injected scripts and remove any malicious content that may already be stored.

Generated by OpenCVE AI on June 21, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Title Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-79
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T13:22:05.584Z

Reserved: 2026-06-21T12:37:58.434Z

Link: CVE-2026-56393

cve-icon Vulnrichment

Updated: 2026-06-22T13:22:00.581Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')