CVE-2026-33051
MEDIUM
GHSA-3x4w-mxpf-fhqq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
The revision/draft context menu in the element editor renders the creator’s `fullName` as raw HTML due to the use of `Template::raw()` combined with `Craft::t()` string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. Users should update to Craft 5.9.11 with the patch to mitigate the issue.
Analysis
This vulnerability is a stored cross-site scripting (XSS) flaw in Craft CMS's element editor revision/draft context menu that renders user-supplied fullName data as raw HTML without proper sanitization. A low-privileged control panel user (such as an Author) can inject malicious JavaScript into their profile's fullName field, which executes when an administrator views the revision context menu. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today