CVE-2026-33051
MEDIUMCraft CMS Vulnerable to Stored XSS in Revision Context Menu
Title source: cnaDescription
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
References (3)
Core 3
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/craftcms/cms/releases/tag/5.9.11
X_Refsource_Confirm x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
X_Refsource_Misc x_refsource_misc
https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1
Scores
CVSS v3
5.4
EPSS
0.0024
EPSS Percentile
15.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
craftcms/cms
5.9.0-beta.1 - 5.9.11Packagist
craftcms/cms
>= 5.9.0-beta.1, < 5.9.11
craftcms/craft_cms
5.9.0 - 5.9.11
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026