SB2026061672 - Multiple vulnerabilities in Craft CMS
Published: June 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim user's control panel session.
The vulnerability exists due to cross-site scripting in ElementTableSorter.js when handling a dragged Structure entry in table view. A remote user can store a crafted entry title and trigger script execution during the victim's drag-and-drop action to execute arbitrary script in a victim user's control panel session.
User interaction is required, and the issue affects Structure-type sections when the victim drags another entry under the poisoned entry in table view.
2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform server-side request forgery.
The vulnerability exists due to improper access control in the /actions/app/resource-js endpoint when handling requests with a poisoned Host or X-Forwarded-Host header. A remote attacker can send a specially crafted request to perform server-side request forgery.
The issue manifests when assetManager.cacheSourcePaths is set to false.
3) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary JavaScript.
The vulnerability exists due to improper neutralization of input in the /actions/app/resource-js endpoint when handling requests with a poisoned Host or X-Forwarded-Host header. A remote attacker can send a specially crafted request to inject arbitrary JavaScript.
If a caching layer is present, the issue can lead to web cache poisoning and stored cross-site scripting in the control panel. The issue manifests when assetManager.cacheSourcePaths is set to false.
4) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the system email template rendering functionality when rendering sandboxed system message templates containing the dataUrl() Twig function. A remote user can embed a file-reading payload into a system email template to disclose sensitive information.
Exploitation requires the utility:system-messages permission and configured email sending. The issue can expose the .env file contents, including secrets that may enable subsequent admin account takeover.
5) Code Injection (CVE-ID: N/A)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of user-controlled input in entry saving redirect handling when processing a user-controlled Referer header. A remote user can supply a specially crafted Referer header to execute arbitrary code.
Exploitation requires control panel access and permission to edit an entry.
Remediation
Install update from vendor's website.
References
- https://github.com/craftcms/cms/security/advisories/GHSA-xrqc-p465-2xvg
- https://github.com/craftcms/cms/commit/162321e899cc97517fb6f5a02b5528f549d0c6cc
- https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff
- https://github.com/craftcms/cms/pull/18559
- https://github.com/craftcms/cms/security/advisories/GHSA-287w-mxq6-x2cp
- https://github.com/craftcms/cms/security/advisories/GHSA-f74w-488g-8x5r
- https://github.com/craftcms/cms/pull/18680