PT-2026-54861 · Craft Cms · Craft Cms

Crypto-Cat

·

Published

2026-07-01

·

Updated

2026-07-06

·

CVE-2026-55793

CVSS v4.0

5.9

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.22
Description A stored cross-site scripting issue exists where a user with author-level control panel permissions can embed a malicious JavaScript payload within an entry title. The execution occurs when an administrator or a user with saveEntries permissions for the same Structure section performs a drag operation on another entry under the affected entry in the table view. This happens because the server escapes the title into data-title, which the browser decodes and jQuery reads via .data('title'), subsequently concatenating it into a new HTML string without proper attribute escaping. Successful exploitation requires the attacker to have at least an Author role and the victim to perform a specific drag action while possessing elevated session privileges.
Recommendations Update to version 5.9.23.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55793
GHSA-XRQC-P465-2XVG

Affected Products

Craft Cms