Stored XSS in Craft CMS 4.x/5.x <4.17.0/5.9.0
CVE-2026-56393 Published on June 21, 2026
Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Vulnerability Analysis
CVE-2026-56393 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-56393 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-56393
Want to know whenever a new CVE is published for Juzaweb Cms? stack.watch will email you.
Affected Versions
craftcms cms:- Version 5.0.0-RC1 and below 5.9.0-beta.1 is affected.
- Version 5.9.0-beta.1 is unaffected.
- Version 4.0.0-RC1 and below 4.17.0-beta.1 is affected.
- Version 4.17.0-beta.1 is unaffected.