CVE-2026-31859

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.7 Craft versions prior to 4.17.3

Description The software is susceptible to a reflected cross-site scripting (XSS) issue. A fix intended to sanitize return URLs used strip tags(), which only removes HTML tags but does not validate URL schemes. Payloads utilizing schemes like javascript: or data: bypass this sanitization, enabling malicious code execution when the return URL is rendered in an href attribute. Specifically, the setReturnUrl() function in src/web/User.php is affected. The issue arises because strip tags() operates on HTML syntax while the threat requires URL scheme validation. Exploitation involves crafting a malicious link containing a dangerous URL, such as https://target.example.com/?returnUrl=javascript:alert(document.cookie), and sending it to a victim. When the victim clicks the link, the malicious URL is stored in the session and subsequently rendered in an href attribute, leading to the execution of the attacker-controlled code. This can lead to session hijacking, data exfiltration, phishing, and cross-site request forgery (CSRF).

Recommendations Versions prior to 5.9.7 should be updated to version 5.9.7. Versions prior to 4.17.3 should be updated to version 4.17.3.