Impact Analysis

This vulnerability can allow a low-privileged user to escalate their privileges to administrator by injecting malicious scripts into their profile name. If an administrator is logged in and views the crafted content, the malicious script executes, potentially giving the attacker full administrative control over the CMS.

Such privilege escalation can lead to unauthorized access, modification, or deletion of content, configuration changes, and compromise of the entire system managed by Craft CMS.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33051 is a stored Cross-Site Scripting (XSS) vulnerability in Craft CMS versions 5.9.0-beta.1 through 5.9.10. The issue occurs because the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML without proper encoding. This happens due to the use of Template::raw() combined with Craft::t() string interpolation, which allows malicious HTML or script injection.'}, {'type': 'paragraph', 'content': "A low-privileged user, such as an Author, can exploit this vulnerability by setting their fullName to an XSS payload via the profile editor and then creating an entry with two saves. If an administrator is logged in with an active elevated session, the crafted payload can execute and escalate the attacker's privileges to administrator."}, {'type': 'paragraph', 'content': "The vulnerability was fixed by ensuring the creator's name is properly HTML-encoded before rendering, preventing execution of injected scripts."}] [2, 3]

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a stored Cross-Site Scripting (XSS) issue in Craft CMS versions 5.9.0-beta.1 through 5.9.10, where a low-privileged user can inject malicious scripts via their fullName field. Detection involves checking if any user profiles have suspicious or script-like content in their fullName field.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can query the database for user fullName fields containing HTML or script tags that could indicate an XSS payload.'}, {'type': 'list_item', 'content': "Example SQL command to find suspicious fullName values: SELECT id, fullName FROM users WHERE fullName LIKE '%<script>%' OR fullName LIKE '%<%' OR fullName LIKE '%>%' LIMIT 10;"}, {'type': 'list_item', 'content': 'Review recent entries created by low-privileged users for unusual content or multiple saves that might indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs for unusual activity involving user profile updates or context menu interactions in the element editor may help identify exploitation attempts.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary and immediate mitigation step is to update Craft CMS to version 5.9.11 or later, where this vulnerability has been fixed by properly encoding the creator's fullName before rendering."}, {'type': 'paragraph', 'content': 'Until the update can be applied, restrict low-privileged users from editing their fullName or limit their ability to create or save entries in the element editor to reduce the risk of exploitation.'}, {'type': 'paragraph', 'content': 'Review and sanitize user profile data to remove any injected scripts or suspicious content in fullName fields.'}, {'type': 'paragraph', 'content': 'Monitor administrator sessions closely and consider logging out and re-authenticating administrators to invalidate any active elevated sessions that might be exploited.'}] [1, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0