CVE-2026-33051

UNKNOWN 0.0

Craft CMS Vulnerable to Stored XSS in Revision Context Menu

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

8th

Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.

CWE	CWE-79
Vendor	craftcms
Product	cms
Published	Mar 20, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 5.9.0-beta.1, < 5.9.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq github.com: https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1 github.com: https://github.com/craftcms/cms/releases/tag/5.9.11