Craft CMS – Stored XSS via User Group Name in...

4.6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Description

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

Basic Information

ID CVE-2026-56381

Source VulnCheck

Published Jun 21, 2026 at 13:26

Affected Product

Vendor craftcms

Product cms

Version 5.0.0-RC1

Affected Versions craftcms cms 5.0.0-RC1

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.",
    "published": "2026-06-21T13:26:58.292Z",
    "modified": "2026-06-21T13:26:58.292Z",
    "type": "cve",
    "title": "Craft CMS - Stored XSS via User Group Name in User Permissions Page",
    "source": "VulnCheck",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6\nhttps://www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-page",
    "id": "CVE-2026-56381",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms 5.0.0-RC1",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": "5.0.0-RC1",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft CMS – Stored XSS via User Group Name in User Permissions Page_CVE-2026-56381