Cross-site scripting in Craft CMS - CVE-2026-33051
Published: June 16, 2026
Vulnerability identifier: #VU134664
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33051
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to cross-site scripting in the revision/draft context menu in the element editor when rendering the creator's fullName as raw HTML. A remote user can set a crafted fullName and create an entry with two saves to escalate privileges.
An administrator must be logged in and execute the crafted payload while an elevated session is active.
How to mitigate CVE-2026-33051
Install security update from vendor's website.