Executive Summary

CVE-2026-56381 is a stored cross-site scripting (XSS) vulnerability in Craft CMS versions 5.0.0-RC1 through 5.8.21. It occurs on the User Permissions page where user group names are displayed without proper HTML escaping.

An attacker with administrative privileges can inject malicious JavaScript code into the user group name field. This injected code then executes when other users view or edit permissions, potentially compromising their session or data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin access to execute arbitrary JavaScript in the context of other users who view or edit user permissions. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of other users.

Since the attack requires admin privileges to inject the malicious code, the risk is somewhat limited to environments where admin accounts are compromised or malicious.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Craft CMS installation is running a vulnerable version between 5.0.0-RC1 and 5.8.21 where user group names in the User Permissions page are rendered without proper HTML escaping.

To detect exploitation attempts or presence of malicious payloads, you can inspect the user group names in the database or via the CMS interface for suspicious JavaScript code.

There are no specific network commands provided in the resources, but you can use web application scanning tools or manual inspection to look for user group names containing script tags or JavaScript code.

• Query the database for user group names containing suspicious script tags, e.g., using SQL: SELECT * FROM user_groups WHERE name LIKE '%<script>%';
• Use web vulnerability scanners that detect stored XSS vulnerabilities on the User Permissions page.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to version 5.8.22 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict administrative access to trusted users only, as exploitation requires admin privileges to inject malicious JavaScript.

Additionally, sanitize or validate user group names to ensure they do not contain executable code before rendering them in the User Permissions page.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a stored cross-site scripting (XSS) flaw that allows attackers with admin access to inject malicious JavaScript, which can execute when other users view or edit permissions. Such vulnerabilities can potentially lead to unauthorized access or exposure of sensitive information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, stored XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could impact compliance by enabling unauthorized actions or data exposure, which may violate requirements for protecting personal or sensitive data under regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0