DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-55793: CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

Vulnerability ID: CVE-2026-55793
CVSS Score: 5.9
Published: 2026-07-06

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

TL;DR

A DOM-based Stored XSS in Craft CMS (5.0.0-RC1 to 5.9.22) allows low-privileged authors to execute arbitrary JavaScript in admin sessions when admins perform drag-and-drop operations on affected entry structures.


Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Base Score: 5.9 (Medium) - CVSS v4.0
  • EPSS Score: 0.00412
  • Impact: High Integrity Compromise (Session Takeover / Privilege Escalation)
  • Exploit Status: Proof-of-Concept / Technical Analysis Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Craft CMS
  • cms: >= 5.0.0-RC1, <= 5.9.22 (Fixed in: 5.9.23)

Code Analysis

Commit: 162321e

Fixed GHSA-xrqc-p465-2xvg

diff --git a/src/web/assets/cp/src/js/ElementTableSorter.js b/src/web/assets/cp/src/js/ElementTableSorter.js
index 1a2b3c4..5d6e7f8 100644
--- a/src/web/assets/cp/src/js/ElementTableSorter.js
+++ b/src/web/assets/cp/src/js/ElementTableSorter.js
@@ -641,13 +641,15 @@ Craft.ElementTableSorter = Garnish.DragSort.extend(
         if (this._updateAncestors._$ancestor.data('descendants') == 1) {
           // Create its toggle
           const ancestorTitle = this._updateAncestors._$ancestor.data('title');
-          $(
-            '<button class="toggle expanded" type="button" aria-expanded="true" title="' +
-              Craft.t('app', 'Show/hide children') +
-              '" aria-label="' +
-              Craft.t('app', 'Show {title} children', {title: ancestorTitle}) +
-              '"></button>'
-          ).insertAfter(
+          $('<button/>', {
+            class: 'toggle expanded',
+            type: 'button',
+            'aria-expanded': 'true',
+            title: Craft.t('app', 'Show/hide children'),
+            'aria-label': Craft.t('app', 'Show {title} children', {
+              title: ancestorTitle,
+            }),
+          }).insertAfter(
             this._updateAncestors._$ancestor.find('> th .move:first')
           );
         }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Craft CMS instances to version 5.9.23 or higher.
  • Restrict 'saveEntries' and structure management privileges to trusted administrative accounts.
  • Deploy Web Application Firewall (WAF) filters to monitor entry saving actions for event handlers inside text properties.

Remediation Steps:

  1. Navigate to the root directory of the Craft CMS deployment.
  2. Execute the dependency manager update command: composer update craftcms/cms.
  3. Verify the installed version is 5.9.23 or above using: php craft help.
  4. Clear the compiled control panel resource cache to force loading of the updated ElementTableSorter.js asset.

References


Read the full report for CVE-2026-55793 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)