CVE Catalog

CVE-2026-56393

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Craft CMS versions 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization. An authenticated administrator can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions.

Risk Assessment

An attacker can exploit these vulnerabilities to inject malicious JavaScript code, potentially leading to data theft or session hijacking of other users. This poses a serious threat to the security of data within the organization.

Recommendation

It is recommended to update Craft CMS to versions 4.17.0-beta.1 or 5.9.0-beta.1 to mitigate these vulnerabilities. Additionally, a security audit should be conducted to identify potential malicious code injections.

Original NVD description (English source)

Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS