CVE-2026-56381
published 2026-06-21CVE-2026-56381: Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without…
PriorityP419medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.15%
4.4th percentile
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 5.0.0-RC1 < 5.8.22 | 5.8.22 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.04.6MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Craft CMS up to 5.8.21 User Permissions Page cross site scripting (GHSA-g3hp-vvqf-8vw6 / EUVD-2026-38175)
vuldb·2026-06-21·CVSS 4.8
CVE-2026-56381 [MEDIUM] Craft CMS up to 5.8.21 User Permissions Page cross site scripting (GHSA-g3hp-vvqf-8vw6 / EUVD-2026-38175)
A vulnerability identified as problematic has been detected in Craft CMS up to 5.8.21. This affects an unknown function of the component User Permissions Page. Performing a manipulation results in cross site scripting.
This vulnerability was named CVE-2026-56381. The attack may be initiated remotely. There is no available exploit.
You should upgrade the affected component.
GHSA
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping.
ghsa_unreviewed·2026-06-21
CVE-2026-56381 [MEDIUM] CWE-79 Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping.
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published