CVE-2026-56381 craftcms CVE debrief

Who should care

Defenders responsible for Craft CMS installations, particularly those with admin access, should prioritize patching or mitigating this vulnerability. Additionally, users who view or edit permissions in the affected versions of Craft CMS may be impacted by successful exploitation.

Technical summary

The vulnerability exists in the User Permissions page of Craft CMS, where user group names are not properly HTML escaped. This allows attackers with admin access to inject arbitrary JavaScript via the user group name field. The injected JavaScript executes when other users view or edit permissions. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Medium priority due to CVSS score of 4.6 and potential for attacker exploitation.

Recommended defensive actions

• Apply the official patch or update to a patched version of Craft CMS.
• Review and limit admin access to the User Permissions page.
• Implement compensating controls, such as web application firewalls (WAFs), to detect and prevent XSS attacks.
• Monitor for suspicious activity and anomalies in user group name changes.
• Perform inventory and verify affected versions of Craft CMS.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-56381 record and the NVD detail page. The vulnerability affects Craft CMS versions 5.0.0-RC1 and later. Defenders should verify the affected versions and apply patches or mitigations accordingly. The CVE record and NVD detail page provide additional information on the vulnerability, including the CVSS score and vector.

Official resources