Stored Cross-Site Scripting Vulnerabilities in Craft CMS by Pixel & Tonic
CVE-2026-56393
4.6MEDIUM
What is CVE-2026-56393?
Craft CMS versions 4.x and 5.x contain multiple stored cross-site scripting vulnerabilities that arise from improper sanitization of settings names and field option labels. An authenticated administrator with the 'allowAdminChanges' permission can exploit these vulnerabilities by injecting malicious JavaScript payloads into various configurable elements of the CMS, such as section names and checkbox/radio option labels. This can allow attackers to execute arbitrary scripts in the control-panel sessions of other users. Updates in versions 4.17.0-beta.1 and 5.9.0-beta.1 address these critical security issues, emphasizing the importance of keeping systems current.
Affected Version(s)
cms 5.0.0-RC1 < 5.9.0-beta.1
cms 4.0.0-RC1 < 4.17.0-beta.1
cms 5.9.0-beta.1