Impact
Craft CMS versions 4.x and 5.x include multiple stored cross‑site scripting flaws where names and labels are rendered without proper escaping. An authenticated administrator with the allowAdminChanges setting enabled can inject malicious JavaScript into section names, field labels, and other configuration values. These payloads execute in the control‑panel context of any user viewing those settings, enabling attackers to hijack sessions, deface the interface, or perform other client‑side attacks. The weakness is a classic stored XSS flaw (CWE‑79).
Affected Systems
The vulnerability applies to Craft CMS (official vendor craftcms) versions 4.0.0‑RC1 through 4.17.0‑beta.1 (exclusive) and 5.0.0‑RC1 through 5.9.0‑beta.1 (exclusive). The fix is delivered in version 4.17.0‑beta.1 and in 5.9.0‑beta.1, so any installation that has not been upgraded to at least those releases remains affected.
Risk and Exploitability
The CVSS score is 4.6, indicating a moderate risk. While the EPSS score is currently unavailable, the flaw can be exploited by any user who has administrative rights, a role that exists in most installations. Because the control‑panel scripts run in the victim’s browser, the exploitation occurs client‑side, but it can lead to session hijacking or unauthorized action. The vulnerability is not listed in the CISA KEV catalog, but it remains a concern due to the high number of installations using Craft CMS 4.x and 5.x.
OpenCVE Enrichment