Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options | Advisories

Advisories

Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options

severity: medium
date: 6/21/2026
Affecting: cms >= 5.0.0-RC1, < 5.9.0-beta.1
cms >= 4.0.0-RC1, < 4.17.0-beta.1
CVE: CVE-2026-56393
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 4.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: GHSA Advisory GHSA-4mgv-366x-qxvx
https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276
https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2
Credit: mHe4am
Description: Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo