CVE-2026-33051 Overview
CVE-2026-33051 is a stored Cross-Site Scripting (XSS) vulnerability in Craft CMS that allows a low-privileged control panel user to inject malicious JavaScript code through their fullName profile field. The vulnerability exists because the revision/draft context menu in the element editor renders the creator's fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. This flaw can be exploited to elevate an attacker's account to administrator privileges if an administrator interacts with the malicious payload while an elevated session is active.
Critical Impact
A low-privileged user (e.g., Author) can exploit this XSS vulnerability to escalate their privileges to administrator level by injecting malicious scripts that execute in the context of an administrator's elevated session.
Affected Products
- Craft CMS versions 5.9.0-beta.1 through 5.9.10
- craftcms craft_cms (all platforms)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33051 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-33051
Vulnerability Analysis
This stored XSS vulnerability arises from improper handling of user-supplied data in Craft CMS's element editor interface. When a user's fullName field is displayed in the revision/draft context menu, the application fails to properly sanitize or escape the content before rendering it in the browser. The use of Template::raw() in combination with Craft::t() string interpolation bypasses the normal output encoding that would otherwise prevent script execution.
The attack chain requires minimal privileges—a user with Author-level access can modify their profile's fullName field to contain an XSS payload. When this user creates or edits content entries (requiring at least two saves to generate revisions), the malicious fullName is stored and later rendered without sanitization when other users, particularly administrators, view the revision history or draft context menu.
Root Cause
The root cause is the unsafe use of Template::raw() when rendering user-controlled data within the element editor's context menu. The fullName field is passed through Craft::t() for translation purposes and then marked as raw HTML output, which prevents automatic escaping. This combination allows arbitrary HTML and JavaScript to be injected and executed in the browser context of any user viewing the affected interface.
Attack Vector
The attack is network-based and requires authentication with low privileges. The exploitation process follows this pattern:
Profile Modification: An attacker with Author-level (or similar low-privilege) access navigates to their profile editor and sets their fullName field to contain a malicious XSS payload (e.g., script tags or event handlers).
Content Creation: The attacker creates or modifies an entry in the CMS, saving it at least twice to generate revision history that includes their name as the creator/modifier.
Payload Delivery: When an administrator views the revision/draft context menu for the affected entry while in an elevated session, the attacker's fullName is rendered as raw HTML, executing the malicious script.
Privilege Escalation: A crafted payload can make API calls or manipulate the DOM to elevate the attacker's account to administrator status, leveraging the administrator's active session.
The vulnerability requires user interaction (an administrator must view the context menu), but the medium severity reflects the potential for privilege escalation and the persistence of the stored XSS payload.
Detection Methods for CVE-2026-33051
Indicators of Compromise
- Review user profile fullName fields in the database for suspicious HTML/JavaScript content (e.g., <script>, onerror=, onclick=, javascript: patterns)
- Monitor Craft CMS user accounts for unexpected privilege escalations, particularly Author-level users gaining administrator access
- Audit web server access logs for unusual API calls to user management endpoints originating from administrative sessions
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution, which can help identify XSS exploitation attempts
- Deploy web application firewalls (WAF) with rules to detect XSS patterns in user profile update requests
- Enable detailed logging of profile modifications, particularly changes to the fullName field containing HTML or script-like content
Monitoring Recommendations
- Set up alerts for user role/permission changes, especially escalations to administrator privileges
- Monitor the Craft CMS control panel for unusual session activity or API calls made during administrator sessions
- Review audit logs for entries where revision/draft metadata may have been accessed by privileged users following profile updates by low-privilege accounts
How to Mitigate CVE-2026-33051
Immediate Actions Required
- Upgrade Craft CMS to version 5.9.11 or later immediately to remediate this vulnerability
- Audit all user profile fullName fields for suspicious HTML or JavaScript content and sanitize any malicious entries found
- Review user privilege levels and revoke any unauthorized administrator accounts that may have been created through exploitation
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
Patch Information
Craft CMS has released version 5.9.11 which addresses this vulnerability. The fix is available in the official repository:
- GitHub Security Advisory GHSA-3x4w-mxpf-fhqq - Official security advisory with vulnerability details
- GitHub Commit f634a9d21edcafd83a6716047d275f985aba6be1 - The specific commit that addresses the XSS issue
- GitHub Release Tag 5.9.11 - The patched release version
Workarounds
- If immediate patching is not possible, consider temporarily restricting profile editing capabilities for non-administrator users
- Implement input validation at the application or WAF level to strip HTML tags from user profile fields
- Reduce the number of users with control panel access until the patch can be applied
- Disable or restrict access to the revision/draft context menu functionality if feasible in your environment
# Update Craft CMS via Composer
composer require craftcms/cms:5.9.11
php craft migrate/all
php craft project-config/apply
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
