CVE-2026-31859
Received Received - Intake
Reflected XSS in Craft CMS User Return URL Handling

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31859
EUVD
EUVD-2026-11261
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 4.15.3 (inc) to 4.17.3 (exc)
craftcms craft_cms From 5.7.5 (inc) to 5.9.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31859 is a reflected Cross-Site Scripting (XSS) vulnerability in the craftcms/cms package. It occurs because the sanitization of the "return URL" parameter uses PHP\'s strip_tags() function, which only removes HTML tags but does not validate or filter URL schemes. Malicious payloads like javascript:alert(document.cookie) can bypass this sanitization because they contain no HTML tags. When such a payload is stored in the session and later rendered in an href attribute, it executes JavaScript in the context of the Craft CMS origin.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to several security impacts including session hijacking through cookie theft, data exfiltration, phishing by redirecting users to attacker-controlled domains, and Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious URL containing a JavaScript payload that executes when a victim clicks a link, compromising the victim's session and data."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious or malicious return URL parameters that include JavaScript or other unsafe URL schemes such as "javascript:", "data:", or protocol-relative URLs like "//evil.com" in requests to the Craft CMS application.'}, {'type': 'paragraph', 'content': 'You can inspect web server logs or use network monitoring tools to search for requests containing suspicious returnUrl parameters.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to find suspicious returnUrl parameters, for example:'}, {'type': 'list_item', 'content': "grep -i 'returnUrl=javascript:' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'returnUrl=data:' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'returnUrl=//' /path/to/access.log"}, {'type': 'paragraph', 'content': 'Additionally, you can use web application scanners or security tools that detect reflected XSS vulnerabilities by testing the returnUrl parameter with payloads containing JavaScript schemes.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Craft CMS to a patched version where this vulnerability is fixed.

  • Upgrade to Craft CMS version 4.17.3 or later if you are on the 4.x branch.
  • Upgrade to Craft CMS version 5.9.7 or later if you are on the 5.x branch.

These versions include a fix that properly sanitizes the return URL parameter beyond just removing HTML tags, preventing malicious URL schemes from being stored and executed.

As a temporary workaround, you may consider implementing additional input validation or filtering on the returnUrl parameter to block unsafe URL schemes before the upgrade.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart