Cross-Site Scripting Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-55793

5.9MEDIUM

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-55793?

Craft CMS contains a cross-site scripting vulnerability that allows an author-level control panel user to inject a malicious JavaScript payload into an entry title. When another control panel user with the required permissions performs a drag operation under the compromised entry, the payload executes in the victim's session due to improper escaping of data-title attributes. This issue is only exploitable if the attacker possesses an existing control panel account with at least author privileges and that the victim's session is active at the time of execution. This vulnerability has been addressed in Craft CMS version 5.9.23.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.23

References

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.