CVE-2026-56381

MEDIUM 4.8

Craft CMS - Stored XSS via User Group Name in User Permissions Page

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

CWE	CWE-79
Vendor	craftcms
Product	cms
Published	Jun 21, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new medium vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

craftcms / cms

5.0.0-RC1 < 5.8.22

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6 vulncheck.com: https://www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-page

Credits

🔍 mHe4am