GHSA-G3HP-VVQF-8VW6: Stored Cross-Site Scripting in Craft CMS User Permissions Page
Vulnerability ID: GHSA-G3HP-VVQF-8VW6
CVSS Score: 3.5
Published: 2026-03-11
Craft CMS versions prior to 5.8.22 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Control Panel's User Permissions page. The application fails to properly HTML-encode User Group names, allowing an authenticated attacker with group management privileges to execute arbitrary JavaScript in the context of an administrator's session.
TL;DR
A Stored XSS vulnerability in Craft CMS (< 5.8.22) allows attackers with User Group management privileges to inject malicious scripts via the User Group Name field. The script executes when an administrator views the User Permissions page.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- Privileges Required: Low (User Group Management)
- User Interaction: Required
- Exploit Status: PoC Available
- CISA KEV: No
Affected Systems
- Craft CMS Control Panel
-
craftcms/cms: < 5.8.22 (Fixed in:
5.8.22)
Exploit Details
- Aliyun Vulnerability Database: Proof of Concept code availability indicated by Aliyun AVD-2026-1859638.
Mitigation Strategies
- Software Upgrade
- Principle of Least Privilege
- Content Security Policy (CSP)
Remediation Steps:
- Update the
craftcms/cmsComposer package to version 5.8.22 or higher. - Review the current User Groups and permissions to identify any unauthorized or overly permissive accounts.
- Sanitize existing database records by checking for HTML or script tags within the
namecolumn of the User Groups table. - Implement a Content Security Policy (CSP) header to restrict inline script execution within the Control Panel.
References
- GitHub Advisory GHSA-G3HP-VVQF-8VW6
- Craft CMS Release 5.8.22
- Craft CMS 5.x Changelog
- Aliyun Vulnerability Database (AVD-2026-1859638)
Read the full report for GHSA-G3HP-VVQF-8VW6 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)