PT-2026-25427 · Packagist · Craftcms/Cms
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
2.1
Low
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P |
Overview of all XSS Reports
Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into 4 reports as follows:
| Report | What's Vulnerable | Why Separate |
|---|---|---|
| This Report (1) | Multiple settings names | Twig Template: includes/forms/checkbox.twig |
| Report 2 | Entry Types Name | Twig Template: includes/forms/editableTable.twig |
| Report 3 | Card Attributes in Field Layout | helpers/Cp.php |
| Report 4 (Commerce) | Product Type Name | Source in Commerce, sink in CMS - will report this one via Commerce GHSA |
Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.
Note: This overview is only in this Report. Other reports only reference this one.
Summary
Stored XSS in multiple settings. Names/labels are rendered without sanitization via
checkbox.twig template which uses {{ label|raw }}.Affected Sources
| # | Source (injection point) | Sink (where payload reflects) |
|---|---|---|
| 1 | Section Name (/admin/settings/sections) | Entries field -> Sources checklist |
| 2 | Volume Name (/admin/settings/assets/volumes/{vol id}) | Assets field -> Sources checklist |
| 3 | User Group Name (/admin/settings/users/groups) | Users field -> Sources, User permissions page |
| 4 | Global Set Name (/admin/settings/globals) | User permissions page |
| 5 | Generated Fields Name (Volumes, Users, etc.) | Card Attributes checkboxes |
| 6 | Checkboxes & Radio Buttons Field Option Label (/admin/settings/fields) | User profile pages |
| 7 | Custom Sources Label (/admin/users -> Customize Sources) | Users field -> Sources checklist |
Proof of Concept
Required Permissions (Attacker)
- Admin access
allowAdminChangesis enabled in production, which is against our security recommendations.
Bugs 1-3: Section, Volume, User Group Names
- Log in as admin.
- Inject payload in one of these:
- Settings -> Sections -> Create/edit section -> Name
- Settings -> Assets -> Volumes -> Create/edit volume -> Name
- Settings -> Users -> User Groups -> Create/edit group -> Name
- Set Name to:
html
<img src=x onerror="alert('XSS')">- Save.
- Go to Settings -> Fields -> Create new field.
- To trigger the XSS payload: Set Field Type to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.
Note: User Group Name also reflects on User permissions page under User Groups section (
/admin/users/{id}/permissions).Bug 4: Global Set Name
- Go to Settings -> Globals (
/admin/settings/globals). - Create/edit a Global Set, set Name to payload.
- Save.
- Go to Users -> Edit any user -> Permissions tab (
/admin/users/{id}/permissions). - Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.
Bug 5: Generated Fields Name
- Go to Settings -> Assets -> Volumes -> Create/Edit a volume.
- Scroll to Generated Fields section.
- Add a field, set Name to payload:
html
<img src=x onerror="alert('XSS')">- Save & Notice the alert. The payload renders in the Card Attributes checkbox list below it.
Bug 6: Checkboxes/Radio Buttons Option Label
- Go to Settings -> Fields (
/admin/settings/fields). - Create new field, set Field Type to "Checkboxes" or "Radio Buttons".
- In Field Options, add an option with Label set to payload.
- Save the field.
- Go to Settings -> Users -> User Profile Fields (
/admin/settings/users/fields). - Add the created field to the layout and save.
- Alert fires on any user profile page (
/admin/users/{id}).
Bug 7: Custom Sources Label
- Go to Users (
/admin/users). - Click the three dots icon -> Customize Sources.
- Create a new custom source, set Label to payload.
- Save.
- Go to Settings -> Fields -> Create new field.
- Set Field Type to "Users".
- Alert fires in the Sources checkbox list.
Resources
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craftcms/Cms