Primary

Context

Craft CMS Stored Cross-Site Scripting Vulnerability Allowing Account Privilege Escalation

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Craft CMS versions 5.9.0-beta.1 prior to 5.9.10. The issue arises in the revision/draft context menu of the element editor, where the creator's full name is rendered as raw HTML. This flaw allows a low-privileged control panel user, such as an Author, to inject an XSS payload into their full name via the profile editor. After creating an entry and saving it twice, the payload can be executed. If an administrator is logged in and the payload is executed during an elevated session, the attacker's account can be escalated to administrator privileges.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the potential for account privilege escalation to administrator.

Remediation

Users are advised to update Craft CMS to version 5.9.11 or later, where this vulnerability has been patched.

Added: Mar 20, 2026, 6:18 AM

Updated: Mar 20, 2026, 6:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.4

exploitability

5.8

remediation

7.7

relevance

4.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.4

exploitability

5.8

remediation

7.7

relevance

4.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Stored Cross-Site Scripting Vulnerability Allowing Account Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

Craft CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating