Craft CMS - Stored XSS via User Group Name in User Permissions Page
Description
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"User group names are rendered without proper HTML escaping in the User Permissions page, allowing stored XSS."
Attack vector
An attacker with admin access and `allowAdminChanges` enabled can inject arbitrary JavaScript via the user group name field. The payload is stored when creating or editing a user group, then executes when any other user views or edits a user's permissions on the Permissions tab [ref_id=1]. This is a stored cross-site scripting (XSS) attack.
Affected code
The vulnerability is in the User Permissions page of Craft CMS, where user group names are rendered without proper HTML escaping in the permissions section. The advisory identifies the affected versions as >= 5.0.0-RC1, <= 5.8.21 [ref_id=1].
What the fix does
The advisory recommends sanitizing user group names when rendering in the user permissions template [ref_id=1]. No patch diff is included in the bundle, but the fix would involve applying proper HTML escaping to the user group name output in the relevant template to prevent injected script tags from being interpreted as executable code.
Preconditions
- authAttacker must have admin access to the Craft CMS control panel
- configThe `allowAdminChanges` config setting must be enabled in production
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6mitrevendor-advisory
- www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-pagemitrethird-party-advisory
News mentions
0No linked articles in our index yet.