CVE-2026-56393

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.0-beta.1 Craft CMS versions 5.0.0-RC1 through 5.9.0-beta.1

Description Stored cross-site scripting occurs when settings names and field option labels are rendered without sanitization, specifically within the 'checkbox.twig' template using the label|raw filter. An authenticated administrator with allowAdminChanges enabled can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels. This allows arbitrary JavaScript to execute within the control-panel sessions of other users.

Recommendations Update to version 4.17.0-beta.1 or later. Update to version 5.9.0-beta.1 or later.