Detections
Analytics

Craft CMS 5.9.x < 5.9.11 Stored XSS (GHSA-3x4w-mxpf-fhqq)

medium Nessus Plugin ID 303619

Synopsis

The Craft CMS instance installed on the remote host is affected by a cross-site scripting vulnerability.

Description

The version of Craft CMS installed on the remote host is 5.9.x prior to 5.9.11. It is, therefore, affected by a cross-site scripting vulnerability:

 - The revision/draft context menu in the element editor renders the creator's fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator views the affected element, the attacker's account can be elevated to administrator.
 (CVE-2026-33051)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade Craft CMS to version 5.9.11 or later.

See Also

http://www.nessus.org/u?2178de12

Plugin Details

Severity: Medium

ID: 303619

File Name: craftcms_CVE-2026-33051.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 3/25/2026

Updated: 3/25/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-33051

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

CPE: cpe:/a:craftcms:craft_cms

Required KB Items: installed_sw/Craft CMS

Patch Publication Date: 3/16/2026

Vulnerability Publication Date: 3/16/2026

Reference Information

CVE: CVE-2026-33051