#VU126472 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Craft CMS - CVE-2024-45406
Published: September 9, 2024 / Updated: April 17, 2026
Vulnerability identifier: #VU126472
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-45406
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Craft CMS
Craft CMS
Software vendor:
Pixel & Tonic, Inc.
Pixel & Tonic, Inc.
Description
The vulnerability allows a remote user to execute arbitrary script in the control panel.
The vulnerability exists due to improper neutralization of input during web page generation in breadcrumb list and title fields when rendering stored user-supplied category titles, entry titles, usernames, or full names. A remote user can store a specially crafted value in these fields to execute arbitrary script in the control panel.
User interaction is required to view an affected control panel page.
Remediation
Install security update from vendor's website.