CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter
Vulnerability ID: CVE-2026-55793
CVSS Score: 5.9
Published: 2026-07-06
CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.
TL;DR
A DOM-based Stored XSS in Craft CMS (5.0.0-RC1 to 5.9.22) allows low-privileged authors to execute arbitrary JavaScript in admin sessions when admins perform drag-and-drop operations on affected entry structures.
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Base Score: 5.9 (Medium) - CVSS v4.0
- EPSS Score: 0.00412
- Impact: High Integrity Compromise (Session Takeover / Privilege Escalation)
- Exploit Status: Proof-of-Concept / Technical Analysis Available
- CISA KEV Status: Not Listed
Affected Systems
- Craft CMS
-
cms: >= 5.0.0-RC1, <= 5.9.22 (Fixed in:
5.9.23)
Code Analysis
Commit: 162321e
Fixed GHSA-xrqc-p465-2xvg
diff --git a/src/web/assets/cp/src/js/ElementTableSorter.js b/src/web/assets/cp/src/js/ElementTableSorter.js
index 1a2b3c4..5d6e7f8 100644
--- a/src/web/assets/cp/src/js/ElementTableSorter.js
+++ b/src/web/assets/cp/src/js/ElementTableSorter.js
@@ -641,13 +641,15 @@ Craft.ElementTableSorter = Garnish.DragSort.extend(
if (this._updateAncestors._$ancestor.data('descendants') == 1) {
// Create its toggle
const ancestorTitle = this._updateAncestors._$ancestor.data('title');
- $(
- '<button class="toggle expanded" type="button" aria-expanded="true" title="' +
- Craft.t('app', 'Show/hide children') +
- '" aria-label="' +
- Craft.t('app', 'Show {title} children', {title: ancestorTitle}) +
- '"></button>'
- ).insertAfter(
+ $('<button/>', {
+ class: 'toggle expanded',
+ type: 'button',
+ 'aria-expanded': 'true',
+ title: Craft.t('app', 'Show/hide children'),
+ 'aria-label': Craft.t('app', 'Show {title} children', {
+ title: ancestorTitle,
+ }),
+ }).insertAfter(
this._updateAncestors._$ancestor.find('> th .move:first')
);
}
Mitigation Strategies
- Upgrade Craft CMS instances to version 5.9.23 or higher.
- Restrict 'saveEntries' and structure management privileges to trusted administrative accounts.
- Deploy Web Application Firewall (WAF) filters to monitor entry saving actions for event handlers inside text properties.
Remediation Steps:
- Navigate to the root directory of the Craft CMS deployment.
- Execute the dependency manager update command: composer update craftcms/cms.
- Verify the installed version is 5.9.23 or above using: php craft help.
- Clear the compiled control panel resource cache to force loading of the updated ElementTableSorter.js asset.
References
- Craft CMS GitHub Fix Commit
- Craft CMS GitHub Security Advisory
- CVE-2026-55793 CVE Record
- Wiz Vulnerability Database Advisory
Read the full report for CVE-2026-55793 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)