Cross-Site Scripting Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-55793
5.9MEDIUM
What is CVE-2026-55793?
Craft CMS contains a cross-site scripting vulnerability that allows an author-level control panel user to inject a malicious JavaScript payload into an entry title. When another control panel user with the required permissions performs a drag operation under the compromised entry, the payload executes in the victim's session due to improper escaping of data-title attributes. This issue is only exploitable if the attacker possesses an existing control panel account with at least author privileges and that the victim's session is active at the time of execution. This vulnerability has been addressed in Craft CMS version 5.9.23.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.23
