Craft CMS Vulnerable to Stored XSS in Revision Context Menu
Description
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.9.0-beta.1, < 5.9.11 | 5.9.11 |
Affected products
1Patches
1f634a9d21edcFixed GHSA-3x4w-mxpf-fhqq
2 files changed · +3 −2
CHANGELOG.md+1 −0 modified@@ -8,6 +8,7 @@ - Fixed a bug where some Matrix bulk action labels weren’t getting translated. - Fixed a bug where global nav items weren’t showing an icon if the icon was set to `0`. - Fixed [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerabilities. (GHSA-4484-8v2f-5748, GHSA-qx2q-q59v-wf3j) +- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerability. (GHSA-3x4w-mxpf-fhqq) ## 5.9.10 - 2026-02-12
src/controllers/ElementsController.php+2 −2 modified@@ -898,7 +898,7 @@ private function _contextMenuItems( ? Template::raw(Craft::t('app', 'Saved <time title="{timestampWithDate}">{timestamp}</time> by {creator}', [ 'timestampWithDate' => $timestampWithDate, 'timestamp' => $timestamp, - 'creator' => $creator->name, + 'creator' => Html::encode($creator->name), ])) : Template::raw(Craft::t('app', 'Last saved <time title="{timestampWithDate}">{timestamp}</time>', [ 'timestampWithDate' => $timestampWithDate, @@ -929,7 +929,7 @@ private function _contextMenuItems( ? Template::raw(Craft::t('app', 'Saved <time title="{timestampWithDate}">{timestamp}</time> by {creator}', [ 'timestampWithDate' => $timestampWithDate, 'timestamp' => $timestamp, - 'creator' => $creator->name, + 'creator' => Html::encode($creator->name), ])) : Template::raw(Craft::t('app', 'Saved <time title="{timestampWithDate}">{timestamp}</time>', [ 'timestampWithDate' => $timestampWithDate,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3x4w-mxpf-fhqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33051ghsaADVISORY
- github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.9.11ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.