Skip to main content

CVE-2026-33051

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 https://github.com/craftcms/cms GHSA-3x4w-mxpf-fhqq
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 13:15 vuln.today
Patch released
Mar 18, 2026 - 13:15 nvd
Patch available
CVE Published
Mar 18, 2026 - 12:58 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

The revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves.

If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator.

Users should update to Craft 5.9.11 with the patch to mitigate the issue.

AnalysisAI

This vulnerability is a stored cross-site scripting (XSS) flaw in Craft CMS's element editor revision/draft context menu that renders user-supplied fullName data as raw HTML without proper sanitization. A low-privileged control panel user (such as an Author) can inject malicious JavaScript into their profile's fullName field, which executes when an administrator views the revision context menu. If weaponized with a carefully crafted payload while an administrator is authenticated, an attacker can escalate their account privileges to administrator level. A patch is available in Craft CMS version 5.9.11.

Technical ContextAI

The vulnerability stems from improper output encoding in Craft CMS (CPE: pkg:composer/craftcms/cms) where the Template::raw() function is combined with Craft::t() string interpolation without HTML escaping the fullName variable. This violates CWE-79 (Improper Neutralization of Input During Web Page Generation) because user-controlled data from the profile editor is rendered directly into HTML context without sanitization. The affected code path involves the revision/draft context menu in the element editor, which retrieves the creator's fullName and renders it as raw HTML markup rather than escaped text, allowing arbitrary HTML and JavaScript injection.

RemediationAI

Immediately upgrade Craft CMS to version 5.9.11 or later via Composer (composer update craftcms/cms). The patch has been committed to the vendor repository (commit f634a9d21edcafd83a6716047d275f985aba6be1) and is available in the official release. Until patching can be completed, restrict control panel access to trusted administrators only, disable profile editing for low-privileged users if possible, and review fullName fields in the database for any suspicious content. Additionally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of any injected scripts. Refer to the official advisory at https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq for comprehensive patching details.

Share

CVE-2026-33051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy