CVE-2026-55793
Received Received - Intake

Craft CMS Entry Title Stored XSS via Drag-and-Drop

Vulnerability report for CVE-2026-55793, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victim’s session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 5.0.0 (inc) to 5.9.22 (inc)
craftcms craft_cms 5.9.23

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Craft CMS versions 5.0.0-RC1 through 5.9.22. An author-level control panel user can insert a malicious JavaScript payload into an entry title. When an admin or any control panel user with the saveEntries permission for the same Structure section drags another entry under the malicious entry in table view, the payload executes within the victim's session.

The root cause is that the title is escaped into a data-title attribute by the server, then decoded by the browser, read using jQuery's .data('title'), and concatenated into a new HTML string without proper attribute escaping. Exploitation requires the attacker to have at least an Author role control panel account, the victim to perform a drag operation (not just visit the page), and the victim's session to have elevated permissions at the time of the trigger.

This issue was fixed in version 5.9.23.

Impact Analysis

This vulnerability can lead to the execution of malicious JavaScript code within the session of an admin or privileged control panel user. This could allow an attacker to perform actions on behalf of the victim, potentially leading to unauthorized changes, data theft, or further compromise of the CMS environment.

Because the attack requires user interaction (dragging an entry) and elevated permissions, the impact is somewhat limited but still significant in environments where multiple users have control panel access.

Mitigation Strategies

To mitigate this vulnerability, upgrade Craft CMS to version 5.9.23 or later, where the issue has been fixed.

Additionally, restrict author-level control panel users from storing untrusted JavaScript payloads in entry titles and limit drag operations in the control panel to trusted users only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart