CVE-2026-31859Improper Encoding or Escaping of Output in Craft CMS

CWE-116Improper Encoding or Escaping of OutputCWE-79Cross-site Scripting5 documents5 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 89.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMar 11

Description

Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href att

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

Packagistcraftcms/cms4.15.34.17.3+1
NVDcraftcms/craft_cms4.15.34.17.3+1
CVEListV5craftcms/cms>= 4.15.3, < 4.17.3, >= 5.7.5, < 5.9.7+1

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization2026-03-11
CVEList
Craft has Reflective XSS via incomplete return URL sanitization2026-03-11
OSV
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization2026-03-11

🕵️Threat Intelligence

1
Wiz
CVE-2026-31859 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-31859 — Craftcms Craft CMS vulnerability | cvebase