Skip to main content

Craft CMS CVE-2026-55793

| EUVDEUVD-2026-41153 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 security-advisories@github.com GHSA-xrqc-p465-2xvg
5.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

AC:H reflects the drag-trigger specificity and Structure section requirement; PR:L for author role; S:C because victim's admin session is the impacted scope; I:H for potential admin-level action execution.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 23:02 EUVD
Analysis Generated
Jul 01, 2026 - 22:32 vuln.today

DescriptionCVE.org

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victim’s session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23.

AnalysisAI

Stored XSS in Craft CMS 5.0.0-RC1 through 5.9.22 allows an author-level control panel user to execute arbitrary JavaScript in the session of an admin or any privileged user with saveEntries permission on the same Structure section. The vulnerability arises from an HTML encode/decode mismatch: the server safely escapes an entry title into a data-title attribute, but jQuery's .data() method re-decodes the value before it is concatenated back into HTML without re-escaping, bypassing the initial sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker with author account stores XSS payload in Structure entry title
Delivery
Server HTML-encodes title into data-title attribute safely
Exploit
Admin opens Structure section table view
Install
Admin drags entry beneath poisoned entry
C2
jQuery .data() decodes attribute, returning raw payload string
Execute
Payload concatenated into HTML without re-encoding
Impact
Arbitrary JavaScript executes in admin browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum an Author-level Craft CMS control panel account with create/edit access to at least one Structure-type section. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.9 (Medium) is appropriate and well-calibrated given the multiple compounding prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious Craft CMS author creates an entry titled with an HTML-encoded XSS payload (e.g., a cookie-exfiltration script) inside a Structure section. When a target administrator later opens the Structure table view and drags any entry beneath the poisoned entry during routine content organization - a normal workflow action - the drag event reads the stored title via jQuery .data(), which decodes the payload and injects it into the DOM as live HTML, executing the script in the admin's browser session and potentially exfiltrating session tokens to an attacker-controlled endpoint. …
Remediation Upgrade Craft CMS to version 5.9.23 or later, which resolves this issue per the vendor security advisory GHSA-xrqc-p465-2xvg (commit 162321e899cc97517fb6f5a02b5528f549d0c6cc). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy