Moderate severityNVD Advisory· Published Mar 26, 2021· Updated Aug 4, 2024

CVE-2020-19626

Description

Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS 3.1.31 has a stored XSS vulnerability in the site creation form, allowing authenticated admins to inject arbitrary scripts via the site name field.

Vulnerability

Overview

CVE-2020-19626 is a stored Cross-Site Scripting (XSS) vulnerability in Craft CMS version 3.1.31. The root cause is a missing output escaping when rendering the site name in the admin panel's site settings page. Specifically, the template at src/templates/settings/sections used site.name|t('site') without applying the |e filter, allowing unescaped HTML to be injected into the page [1][2].

Exploitation

An attacker must have administrative access to the Craft CMS control panel to exploit this vulnerability. By navigating to /admin/settings/sites/new and providing a malicious payload (e.g., ``) in the site name field, the payload is stored and later executed when any admin views the site settings page. No additional user interaction is required beyond the initial creation [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, defacement, or further privilege escalation within the CMS. Since the attack is stored, it can affect multiple users who visit the compromised page [1].

Mitigation

The vulnerability was fixed in commit 76a2168 by adding the |e filter to escape the site name output [2]. The fix is included in Craft CMS version 3.1.32.1 and later. Users should upgrade to a patched version immediately. No workaround is available for unpatched installations.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/cmsPackagist	< 3.1.33	3.1.33

Affected products

craftcms/craftcmsdescription
ghsa-coords
pkg:composer/craftcms/cms
Range: < 3.1.33

Patches

76a2168b6a5e

Fixed an XSS vulnerability.

https://github.com/craftcms/cmsBrad BellJun 27, 2019via ghsa

commit

2 files changed · +6 −1

CHANGELOG-v3.md+5 −0 modified

@@ -1,5 +1,10 @@
 # Release Notes for Craft CMS 3.x
 
+## Unreleased
+
+### Security
+- Fixed an XSS vulnerability.
+
 ## 3.1.32.1 - 2019-06-25
 
 ### Fixed

src/templates/settings/sections/_edit.html+1 −1 modified

@@ -68,7 +68,7 @@
         {% endif %}
         {% set siteRows = siteRows|merge({
             (site.handle): {
-                heading: site.name|t('site'),
+                heading: site.name|t('site')|e,
                 enabled: include('_includes/forms/lightswitch', {
                     name: 'sites['~site.handle~'][enabled]',
                     on: brandNewSection or siteSettings,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-33jj-92px-m4g7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-19626ghsaADVISORY
mayoterry.com/file/cve/XSS_vuluerability_in_Craftcms_3.1.31.pdfmitrex_refsource_MISC
github.com/craftcms/cms/commit/76a2168b6a5e30144f5c06da4ff264f4eca577ffghsax_refsource_MISCWEB
web.archive.org/web/20211209121705/http://mayoterry.com/file/cve/XSS_vuluerability_in_Craftcms_3.1.31.pdfghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000