CVE-2026-56381

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6
https://www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-page
https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6

Configurations

No configuration.

History

23 Jun 2026, 04:17

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6 -

21 Jun 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-21 14:16

Updated : 2026-06-23 04:17

NVD link : CVE-2026-56381

Mitre link : CVE-2026-56381

CVE.ORG link : CVE-2026-56381

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-56381", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-56381", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T02:48:06.956002Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "disclosure@vulncheck.com", "affectedData": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": "5.0.0-RC1", "lessThan": "5.8.22", "versionType": "semver"}, {"status": "unaffected", "version": "5.8.22", "versionType": "semver"}], "packageURL": "pkg:composer/craftcms/cms", "defaultStatus": "unaffected"}]}], "published": "2026-06-21T14:16:25.627", "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-page", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions."}], "lastModified": "2026-06-23T04:17:43.893", "sourceIdentifier": "disclosure@vulncheck.com"}