CVE-2026-33051 — Cross-site Scripting in Craft CMS

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 91.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedMar 20

Description

Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload whi…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.9.0-beta.1 — 5.9.11

▶NVDcraftcms/craft_cms5.9.0 — 5.9.11

▶CVEListV5craftcms/cms>= 5.9.0-beta.1, < 5.9.11

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft CMS Vulnerable to Stored XSS in Revision Context Menu↗2026-03-20

▶

GHSA

Craft CMS Vulnerable to Stored XSS in Revision Context Menu↗2026-03-18

▶

OSV

Craft CMS Vulnerable to Stored XSS in Revision Context Menu↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33051 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶