CVE-2026-31859
Reflected XSS in Craft CMS User Return URL Handling
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | From 4.15.3 (inc) to 4.17.3 (exc) |
| craftcms | craft_cms | From 5.7.5 (inc) to 5.9.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31859 is a reflected Cross-Site Scripting (XSS) vulnerability in the craftcms/cms package. It occurs because the sanitization of the "return URL" parameter uses PHP\'s strip_tags() function, which only removes HTML tags but does not validate or filter URL schemes. Malicious payloads like javascript:alert(document.cookie) can bypass this sanitization because they contain no HTML tags. When such a payload is stored in the session and later rendered in an href attribute, it executes JavaScript in the context of the Craft CMS origin.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to several security impacts including session hijacking through cookie theft, data exfiltration, phishing by redirecting users to attacker-controlled domains, and Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious URL containing a JavaScript payload that executes when a victim clicks a link, compromising the victim's session and data."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious or malicious return URL parameters that include JavaScript or other unsafe URL schemes such as "javascript:", "data:", or protocol-relative URLs like "//evil.com" in requests to the Craft CMS application.'}, {'type': 'paragraph', 'content': 'You can inspect web server logs or use network monitoring tools to search for requests containing suspicious returnUrl parameters.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to find suspicious returnUrl parameters, for example:'}, {'type': 'list_item', 'content': "grep -i 'returnUrl=javascript:' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'returnUrl=data:' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'returnUrl=//' /path/to/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can use web application scanners or security tools that detect reflected XSS vulnerabilities by testing the returnUrl parameter with payloads containing JavaScript schemes.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Craft CMS to a patched version where this vulnerability is fixed.
- Upgrade to Craft CMS version 4.17.3 or later if you are on the 4.x branch.
- Upgrade to Craft CMS version 5.9.7 or later if you are on the 5.x branch.
These versions include a fix that properly sanitizes the return URL parameter beyond just removing HTML tags, preventing malicious URL schemes from being stored and executed.
As a temporary workaround, you may consider implementing additional input validation or filtering on the returnUrl parameter to block unsafe URL schemes before the upgrade.