Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

View on GitHub ↗

Description

Overview of all XSS Reports

Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into 4 reports as follows:

Report What's Vulnerable Why Separate
This Report (1) Multiple settings names Twig Template: _includes/forms/checkbox.twig
Report 2 Entry Types Name Twig Template: _includes/forms/editableTable.twig
Report 3 Card Attributes in Field Layout helpers/Cp.php
Report 4 (Commerce) Product Type Name Source in Commerce, sink in CMS - will report this one via Commerce GHSA

Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.

Note: This overview is only in this Report. Other reports only reference this one.

Summary

Stored XSS in multiple settings. Names/labels are rendered without sanitization via checkbox.twig template which uses {{ label|raw }}.

Affected Sources

# Source (injection point) Sink (where payload reflects)
1 Section Name (/admin/settings/sections) Entries field -> Sources checklist
2 Volume Name (/admin/settings/assets/volumes/{vol_id}) Assets field -> Sources checklist
3 User Group Name (/admin/settings/users/groups) Users field -> Sources, User permissions page
4 Global Set Name (/admin/settings/globals) User permissions page
5 Generated Fields Name (Volumes, Users, etc.) Card Attributes checkboxes
6 Checkboxes & Radio Buttons Field Option Label (/admin/settings/fields) User profile pages
7 Custom Sources Label (/admin/users -> Customize Sources) Users field -> Sources checklist

Proof of Concept

Required Permissions (Attacker)

Bugs 1-3: Section, Volume, User Group Names

  1. Log in as admin.
  2. Inject payload in one of these:
    - Settings -> Sections -> Create/edit section -> Name
    - Settings -> Assets -> Volumes -> Create/edit volume -> Name
    - Settings -> Users -> User Groups -> Create/edit group -> Name
  3. Set Name to:
<img src=x onerror="alert('XSS')">
  1. Save.
  2. Go to Settings -> Fields -> Create new field.
  3. To trigger the XSS payload: Set Field Type to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.

Note: User Group Name also reflects on User permissions page under User Groups section (/admin/users/{id}/permissions).

Bug 4: Global Set Name

  1. Go to Settings -> Globals (/admin/settings/globals).
  2. Create/edit a Global Set, set Name to payload.
  3. Save.
  4. Go to Users -> Edit any user -> Permissions tab (/admin/users/{id}/permissions).
  5. Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.

Bug 5: Generated Fields Name

  1. Go to Settings -> Assets -> Volumes -> Create/Edit a volume.
  2. Scroll to Generated Fields section.
  3. Add a field, set Name to payload:
<img src=x onerror="alert('XSS')">
  1. Save & Notice the alert. The payload renders in the Card Attributes checkbox list below it.

Bug 6: Checkboxes/Radio Buttons Option Label

  1. Go to Settings -> Fields (/admin/settings/fields).
  2. Create new field, set Field Type to "Checkboxes" or "Radio Buttons".
  3. In Field Options, add an option with Label set to payload.
  4. Save the field.
  5. Go to Settings -> Users -> User Profile Fields (/admin/settings/users/fields).
  6. Add the created field to the layout and save.
  7. Alert fires on any user profile page (/admin/users/{id}).

Bug 7: Custom Sources Label

  1. Go to Users (/admin/users).
  2. Click the three dots icon -> Customize Sources.
  3. Create a new custom source, set Label to payload.
  4. Save.
  5. Go to Settings -> Fields -> Create new field.
  6. Set Field Type to "Users".
  7. Alert fires in the Sources checkbox list.

Resources

https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276
https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-03 20:58:07 UTC
Updated
2026-03-03 20:58:09 UTC
GitHub reviewed
2026-03-03 20:58:07 UTC

CVSS Scores

Base score Version Severity Vector
2.1 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:L)
Limited confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

Type Value
GHSA GHSA-4mgv-366x-qxvx ↗

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • mHe4am (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer craftcms/cms >= 5.0.0-RC1, < 5.9.0-beta.1 5.9.0-beta.1
composer craftcms/cms >= 4.0.0-RC1, < 4.17.0-beta.1 4.17.0-beta.1

References

cvelogic Threat Intelligence