CVE-2026-56381

MEDIUM EPSS 4.4%

Published Jun 21, 20261w ago · Modified Jun 23, 20261w ago

4.6 CVSS 4.0

Medium

Published Jun 21, 2026 1w ago

Last Modified Jun 23, 2026 1w ago

Description

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

CVSS Details

Base Score

4.6

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

4.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 2

github.com https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6
vulncheck.com https://www.vulncheck.com/advisories/craft-cms-stored-xss-via-user-group-name-in-user-permissions-page

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.