Home

Description

Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

PUBLISHED Reserved 2026-06-21 | Published 2026-06-21 | Updated 2026-06-22 | Assigner VulnCheck




MEDIUM: 4.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
MEDIUM: 4.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

5.0.0-RC1 (semver) before 5.9.0-beta.1
affected

5.9.0-beta.1 (semver)
unaffected

4.0.0-RC1 (semver) before 4.17.0-beta.1
affected

4.17.0-beta.1 (semver)
unaffected

Credits

mHe4am reporter

References

github.com/...ms/cms/security/advisories/GHSA-4mgv-366x-qxvx exploit

github.com/...ms/cms/security/advisories/GHSA-4mgv-366x-qxvx (GHSA Advisory GHSA-4mgv-366x-qxvx) vendor-advisory

github.com/...ommit/943152d2246b36f12adf161a03b8695b773d9276 patch

github.com/...ommit/67780a778c6ec04e68e64a0b1177c168306144a2 patch

www.vulncheck.com/...ing-in-settings-names-and-field-options (VulnCheck Advisory: Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options) third-party-advisory

cve.org (CVE-2026-56393)

nvd.nist.gov (CVE-2026-56393)

Download JSON