Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
Metrics
Affected Vendors & Products
References
History
Wed, 24 Jun 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Craftcms
Craftcms craftcms |
|
| Vendors & Products |
Craftcms
Craftcms craftcms |
Tue, 23 Jun 2026 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sun, 21 Jun 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions. | |
| Title | Craft CMS - Stored XSS via User Group Name in User Permissions Page | |
| First Time appeared |
Juzaweb
Juzaweb cms |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Juzaweb
Juzaweb cms |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-21T13:26:58.292Z
Updated: 2026-06-23T02:48:37.589Z
Reserved: 2026-06-21T02:05:47.495Z
Link: CVE-2026-56381
Updated: 2026-06-23T02:48:32.314Z
No data.
No data.