PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56393 craftcms CVE debrief

CVE-2026-56393 is a medium-severity vulnerability affecting Craft CMS versions 4.x and 5.x. An authenticated administrator can inject malicious payloads into various settings, leading to arbitrary JavaScript execution in other users' control-panel sessions. The vulnerability is fixed in Craft CMS 4.17.0-beta.1 and 5.9.0-beta.1. Defenders should prioritize patching due to the potential for code execution.

Vendor
craftcms
Product
cms
CVSS
MEDIUM 4.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-21
Original CVE updated
2026-06-22
Advisory published
2026-06-21
Advisory updated
2026-06-22

Who should care

Defenders managing Craft CMS installations, particularly those with administrator access, should be aware of this vulnerability. The ability for authenticated administrators to inject malicious payloads makes it crucial for organizations using affected versions to apply patches promptly.

Technical summary

CVE-2026-56393 involves multiple stored cross-site scripting (XSS) vulnerabilities in Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1). These vulnerabilities allow an authenticated administrator with 'allowAdminChanges' enabled to inject malicious payloads into various settings, such as section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels. When these settings are rendered without proper sanitization (e.g., via the checkbox.twig template using {{ label|raw }}), the injected payloads can lead to arbitrary JavaScript execution in other users' control-panel sessions.

Defensive priority

Medium priority due to the requirement for administrator access but high impact if exploited.

Recommended defensive actions

  • Apply patches: Upgrade to Craft CMS 4.17.0-beta.1 or 5.9.0-beta.1 immediately.
  • Inventory and review: Identify and review all instances of Craft CMS 4.x and 5.x within your organization.
  • Official advisory review: Consult the official Craft CMS security advisories for detailed information.
  • Vendor-supported remediation: Follow Craft CMS's recommended remediation steps.
  • Monitoring: Enhance monitoring for suspicious administrator activities and control-panel session anomalies.

Evidence notes

The primary evidence for this vulnerability comes from the Craft CMS security advisories and CVE details. Affected products include Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1). Defenders should verify their Craft CMS versions and check for any existing administrator accounts with 'allowAdminChanges' enabled.

Official resources

This article is AI-assisted and based on the supplied source corpus.