PT-2026-5593 — XSS in Packagist Solspace/Craft-Freeform

PT-2026-5593 · Packagist · Solspace/Craft-Freeform

Published

2026-01-22

Updated

2026-01-22

CVSS v4.0

2.1

Low

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Summary An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.

Affected Product

Ecosystem: Packagist (Craft CMS plugin)
Package: solspace/craft-freeform
Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.

Details

Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using dangerouslySetInnerHTML without sanitization.
Evidence: dangerouslySetInnerHTML on user-controlled properties in bundled CP JS at packages/plugin/src/Resources/js/client/client.js.

PoCs

Label-based XSS:

In Craft CP, create/edit a Freeform field and set its label to <img src=x onerror="alert('xss-label')">.
Open the form builder view containing the field.
Alert executes (stored XSS).

Integration icon SVG:

Set an integration "icon SVG" to <svg><script>alert('xss-icon')</script></svg>.
Open the integrations CP view.
Script executes.

Impact Arbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.

Remediation

Sanitize/HTML-encode all user-controlled strings before passing to dangerouslySetInnerHTML, or avoid it for labels/titles/icons.
Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.
Add regression tests with <img onerror> payloads to ensure no execution in builder/integration views.

Workarounds