CVE-2026-56393
Received Received - Intake
Stored XSS in Craft CMS Settings and Field Labels

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulnCheck

Description
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-56393
EUVD
EUVD-2026-38159
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 4.0.0-rc1 (inc) to 4.17.0-beta.1 (exc)
craftcms craft_cms From 5.0.0-rc1 (inc) to 5.9.0-beta.1 (exc)
craftcms craft_cms 4.17.0-beta.1
craftcms craft_cms 5.9.0-beta.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56393 is a stored cross-site scripting (XSS) vulnerability in Craft CMS versions 4.x and 5.x before certain beta releases. It occurs because settings names and field option labels are rendered without proper sanitization, for example using the unsafe {{ label|raw }} filter in templates like checkbox.twig.

An authenticated administrator with the allowAdminChanges permission can inject malicious JavaScript payloads into various settings such as section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels.

These injected scripts then execute in the control-panel sessions of other users, potentially compromising their accounts or data.

Impact Analysis

This vulnerability allows an authenticated administrator with the appropriate permissions to inject malicious JavaScript into various settings and field options within Craft CMS.

As a result, arbitrary JavaScript can execute in the control-panel sessions of other users, potentially leading to session hijacking, unauthorized actions, or data exposure within the CMS backend.

The impact is limited to users who access the control panel and can be exploited only if the allowAdminChanges setting is enabled.

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in Craft CMS settings and field option labels that are rendered without sanitization. Detection typically requires inspecting the content of settings names, field option labels, and other affected fields for injected malicious JavaScript payloads.

Since the vulnerability is exploited by an authenticated administrator with allowAdminChanges enabled, detection involves reviewing administrative inputs and rendered templates for unsafe usage of raw HTML output filters such as {{ label|raw }}.

There are no specific network commands or automated detection commands provided in the available resources. However, manual inspection or automated scanning of the CMS database entries for suspicious script tags or JavaScript payloads in section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels can help identify exploitation.

Mitigation Strategies

The primary mitigation step is to upgrade Craft CMS to a fixed version where the vulnerability is addressed. Specifically, update to version 4.17.0-beta.1 or later for the 4.x series, or 5.9.0-beta.1 or later for the 5.x series.

Additionally, it is recommended to disable the allowAdminChanges setting in production environments to prevent authenticated administrators from injecting malicious payloads.

The patches remove unsafe raw HTML output in templates and enforce stricter input validation and sanitization, so applying these updates will prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart