CVE-2026-31859
Received Received - Intake

Reflected XSS in Craft CMS User Return URL Handling

Vulnerability report for CVE-2026-31859, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description

Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-03-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 4.15.3 (inc) to 4.17.3 (exc)
craftcms craft_cms From 5.7.5 (inc) to 5.9.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31859 is a reflected Cross-Site Scripting (XSS) vulnerability in the craftcms/cms package. It occurs because the sanitization of the "return URL" parameter uses PHP\'s strip_tags() function, which only removes HTML tags but does not validate or filter URL schemes. Malicious payloads like javascript:alert(document.cookie) can bypass this sanitization because they contain no HTML tags. When such a payload is stored in the session and later rendered in an href attribute, it executes JavaScript in the context of the Craft CMS origin.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Craft CMS to a patched version where this vulnerability is fixed.

  • Upgrade to Craft CMS version 4.17.3 or later if you are on the 4.x branch.
  • Upgrade to Craft CMS version 5.9.7 or later if you are on the 5.x branch.

These versions include a fix that properly sanitizes the return URL parameter beyond just removing HTML tags, preventing malicious URL schemes from being stored and executed.

As a temporary workaround, you may consider implementing additional input validation or filtering on the returnUrl parameter to block unsafe URL schemes before the upgrade.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to several security impacts including session hijacking through cookie theft, data exfiltration, phishing by redirecting users to attacker-controlled domains, and Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious URL containing a JavaScript payload that executes when a victim clicks a link, compromising the victim's session and data."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious or malicious return URL parameters that include JavaScript or other unsafe URL schemes such as "javascript:", "data:", or protocol-relative URLs like "//evil.com" in requests to the Craft CMS application.'}, {'type': 'paragraph', 'content': 'You can inspect web server logs or use network monitoring tools to search for requests containing suspicious returnUrl parameters.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to find suspicious returnUrl parameters, for example:'}, {'type': 'list_item', 'content': "grep -i 'returnUrl=javascript:' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'returnUrl=data:' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'returnUrl=//' /path/to/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can use web application scanners or security tools that detect reflected XSS vulnerabilities by testing the returnUrl parameter with payloads containing JavaScript schemes.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart