CVE-2026-56393
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Craft CMS versions 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization. An authenticated administrator can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions.
Risk Assessment
An attacker can exploit these vulnerabilities to inject malicious JavaScript code, potentially leading to data theft or session hijacking of other users. This poses a serious threat to the security of data within the organization.
Recommendation
It is recommended to update Craft CMS to versions 4.17.0-beta.1 or 5.9.0-beta.1 to mitigate these vulnerabilities. Additionally, a security audit should be conducted to identify potential malicious code injections.
Original NVD description (English source)
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

