Moderate severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026

Craft has Reflective XSS via incomplete return URL sanitization

CVE-2026-31859

Description

Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS incomplete fix for CVE-2025-35939 uses strip_tags() which fails to block javascript: and data: URIs, enabling reflected XSS via return URL.

Vulnerability

Overview

The fix for CVE-2025-35939 in Craft CMS introduced a strip_tags() call in src/web/User.php to sanitize return URLs before storing them in the session. However, strip_tags() only removes HTML tags (angle brackets) and does not inspect or filter URL schemes. This allows payloads like javascript:alert(document.cookie) or data:text/html;base64,... to pass through completely unmodified, enabling reflected cross-site scripting (XSS) when the return URL is later rendered in an href attribute [1][2].

Exploitation

An attacker can craft a malicious link such as https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie) and send it to a victim. When the victim clicks the link, the Craft CMS application calls setReturnUrl() with the attacker-controlled value. Since strip_tags() does not validate URL schemes, the malicious payload survives sanitization. The application then stores this value in the session and later renders it in an href attribute, causing the victim's browser to execute the attacker's JavaScript when the link is clicked or the page is rendered [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, credentials, or other sensitive data, as well as unauthorized actions performed on behalf of the authenticated user. The vulnerability is classified as reflected XSS and requires user interaction (clicking a crafted link) [2].

Mitigation

The vulnerability is fixed in Craft CMS versions 5.9.7 and 4.17.3. The fix adds a check using parse_url() to allow only http and https schemes, rejecting any other scheme by redirecting to / [1][4]. Users are strongly advised to update to the latest patched version immediately.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/cmsPackagist	>= 4.15.3, < 4.17.3	4.17.3
craftcms/cmsPackagist	>= 5.7.5, < 5.9.7	5.9.7

Affected products

Craftcms/Craft CMSllm-fuzzy
Range: <=5.9.6, <=4.17.2
Craftcms/Craftllm-fuzzy
Range: <=5.9.6, <=4.17.2
Craftcms/CMSv5
Range: >= 4.15.3, < 4.17.3

Patches

cc9921c14897

Fixed GHSA-fvwq-45qv-xvhv

https://github.com/craftcms/cmsbrandonkellyFeb 6, 2026via ghsa

commit

2 files changed · +8 −0

CHANGELOG.md+4 −0 modified

@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 4
 
+## Unreleased
+
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerability. (GHSA-fvwq-45qv-xvhv)
+
 ## 4.17.2 - 2026-01-28
 
 - Fixed an error that could occur when updating to Craft 4.17 on environments with `allowAdminChanges` disabled. ([#18332](https://github.com/craftcms/cms/issues/18332))

src/web/User.php+4 −0 modified

@@ -472,6 +472,10 @@ public function generateToken(int $userId): void
      */
     public function setReturnUrl($url): void
     {
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        if ($scheme && !in_array($scheme, ['http', 'https'])) {
+            $url = '/';
+        }
         parent::setReturnUrl(strip_tags($url));
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-fvwq-45qv-xvhvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-31859ghsaADVISORY
github.com/craftcms/cms/commit/cc9921c14897ee2b592a431c2356af8a04ce4cfeghsaWEB
github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhvghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000