CVE-2019-9554

MEDIUM

Craft CMS 3.1.12 Pro - Stored Cross-Site Scripting in Header Insertion Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9554. PoCs published by Ismail Tasdelen.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Craft CMS 3.1.12 Pro by injecting malicious JavaScript into the 'articleBody' field via a crafted HTTP POST request. The payload is embedded in an image tag's 'alt' and 'title' attributes, triggering an alert when rendered.

Description

In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.

Exploits (1)

exploitdb WORKING POC
by Ismail Tasdelen · textwebappsphp
https://www.exploit-db.com/exploits/46496

This exploit demonstrates a stored XSS vulnerability in Craft CMS 3.1.12 Pro by injecting malicious JavaScript into the 'articleBody' field via a crafted HTTP POST request. The payload is embedded in an image tag's 'alt' and 'title' attributes, triggering an alert when rendered.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Craft CMS 3.1.12 Pro
Auth required
Prerequisites: Valid admin session cookies (CraftSessionId, CRAFT_CSRF_TOKEN) · Access to the Craft CMS admin panel
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/46496

Scores

CVSS v3 6.1
EPSS 0.0259
EPSS Percentile 83.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
craftcms/craft_cms 3.1.12
Published Dec 31, 2019
Tracked Since Feb 18, 2026