SB2026061672 - Multiple vulnerabilities in Craft CMS



SB2026061672 - Multiple vulnerabilities in Craft CMS

Published: June 16, 2026

Security Bulletin ID SB2026061672
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim user's control panel session.

The vulnerability exists due to cross-site scripting in ElementTableSorter.js when handling a dragged Structure entry in table view. A remote user can store a crafted entry title and trigger script execution during the victim's drag-and-drop action to execute arbitrary script in a victim user's control panel session.

User interaction is required, and the issue affects Structure-type sections when the victim drags another entry under the poisoned entry in table view.


2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform server-side request forgery.

The vulnerability exists due to improper access control in the /actions/app/resource-js endpoint when handling requests with a poisoned Host or X-Forwarded-Host header. A remote attacker can send a specially crafted request to perform server-side request forgery.

The issue manifests when assetManager.cacheSourcePaths is set to false.


3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary JavaScript.

The vulnerability exists due to improper neutralization of input in the /actions/app/resource-js endpoint when handling requests with a poisoned Host or X-Forwarded-Host header. A remote attacker can send a specially crafted request to inject arbitrary JavaScript.

If a caching layer is present, the issue can lead to web cache poisoning and stored cross-site scripting in the control panel. The issue manifests when assetManager.cacheSourcePaths is set to false.


4) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the system email template rendering functionality when rendering sandboxed system message templates containing the dataUrl() Twig function. A remote user can embed a file-reading payload into a system email template to disclose sensitive information.

Exploitation requires the utility:system-messages permission and configured email sending. The issue can expose the .env file contents, including secrets that may enable subsequent admin account takeover.


5) Code Injection (CVE-ID: N/A)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of user-controlled input in entry saving redirect handling when processing a user-controlled Referer header. A remote user can supply a specially crafted Referer header to execute arbitrary code.

Exploitation requires control panel access and permission to edit an entry.


Remediation

Install update from vendor's website.