CVE-2026-56381

Craft CMS - Stored XSS via User Group Name in User Permissions Page

CVSS 4.6 MEDIUMEPSS 0.1%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.6EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

21 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

craftcms · cms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6 https://www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-page