← volver
CVE-2026-56393

Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.6EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
21 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Productos afectados
craftcms · cms

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvxhttps://www.vulncheck.com/advisories/craft-cms-multiple-stored-cross-site-scripting-in-settings-names-and-field-options