AI Threat Alert
CVE-2026-56393: Craft CMS: stored XSS hijacks admin panel sessions
MEDIUMCraft CMS 4.x and 5.x contain multiple stored XSS vulnerabilities where an authenticated administrator with the allowAdminChanges permission can inject arbitrary JavaScript into settings fields — section names, volume names, user group names, field labels, and checkbox/radio option labels — that then executes silently in any other user's control-panel session. The CVSS scope is Changed (S:C), meaning payloads can escape the originating context and affect third-party resources including connected integrations. While exploitation requires a pre-existing administrator account and no public exploit or CISA KEV entry exists, multi-admin environments — typical of AI/ML platforms where multiple teams manage content schemas or data labeling workflows in Craft — face a real privilege-escalation and session-hijacking risk between accounts. Upgrade to Craft CMS 4.17.0-beta.1 or 5.9.0-beta.1 immediately; if patching is not feasible, restrict allowAdminChanges to a minimal set of fully trusted superadmins and audit all existing settings fields for suspicious payloads.
What is the risk?
Medium severity (CVSS 4.8) with Changed scope. The high-privilege requirement substantially limits external attack surface, but in multi-administrator deployments the risk is real: a single compromised or malicious admin account can silently persist payloads affecting every other admin session without detection. No public exploit is available and EPSS data is absent, making opportunistic exploitation unlikely in the near term. The principal risk vector is insider threat or a follow-on attack after initial credential compromise.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| cms | — | — | No patch |
Do you use cms? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade to Craft CMS 4.17.0-beta.1 (4.x) or 5.9.0-beta.1 (5.x), which replace {{ label|raw }} with properly escaped rendering.
-
If immediate patching is not possible, audit allowAdminChanges and restrict it to a single superadmin account to reduce the injection surface.
-
Manually review all existing settings fields (section names, volume names, user group names, global set names, generated field names, checkbox and radio option labels, custom source labels) for suspicious payloads such as <script> tags or JavaScript event handlers.
-
Review admin audit logs for unexpected settings modifications in the past 30 days.
-
Strengthen CSP headers (script-src 'self') to limit what injected JavaScript can reach, as a defense-in-depth measure independent of patching.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-56393?
Craft CMS 4.x and 5.x contain multiple stored XSS vulnerabilities where an authenticated administrator with the allowAdminChanges permission can inject arbitrary JavaScript into settings fields — section names, volume names, user group names, field labels, and checkbox/radio option labels — that then executes silently in any other user's control-panel session. The CVSS scope is Changed (S:C), meaning payloads can escape the originating context and affect third-party resources including connected integrations. While exploitation requires a pre-existing administrator account and no public exploit or CISA KEV entry exists, multi-admin environments — typical of AI/ML platforms where multiple teams manage content schemas or data labeling workflows in Craft — face a real privilege-escalation and session-hijacking risk between accounts. Upgrade to Craft CMS 4.17.0-beta.1 or 5.9.0-beta.1 immediately; if patching is not feasible, restrict allowAdminChanges to a minimal set of fully trusted superadmins and audit all existing settings fields for suspicious payloads.
Is CVE-2026-56393 actively exploited?
No confirmed active exploitation of CVE-2026-56393 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-56393?
1. Upgrade to Craft CMS 4.17.0-beta.1 (4.x) or 5.9.0-beta.1 (5.x), which replace {{ label|raw }} with properly escaped rendering. 2. If immediate patching is not possible, audit allowAdminChanges and restrict it to a single superadmin account to reduce the injection surface. 3. Manually review all existing settings fields (section names, volume names, user group names, global set names, generated field names, checkbox and radio option labels, custom source labels) for suspicious payloads such as <script> tags or JavaScript event handlers. 4. Review admin audit logs for unexpected settings modifications in the past 30 days. 5. Strengthen CSP headers (script-src 'self') to limit what injected JavaScript can reach, as a defense-in-depth measure independent of patching.
What systems are affected by CVE-2026-56393?
This vulnerability affects the following AI/ML architecture patterns: ML UI dashboards, content management for AI pipelines, AI training data labeling platforms.
What is the CVSS score for CVE-2026-56393?
CVE-2026-56393 has a CVSS v3.1 base score of 4.8 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application AML.T0078 Drive-by Compromise Compliance Controls Affected
What are the technical details?
Original Advisory
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Exploitation Scenario
An attacker who has obtained administrator credentials for a Craft CMS instance — through phishing, credential stuffing, or a compromised team member account — navigates to Settings and injects a JavaScript payload into a checkbox field option label, exploiting the previously unsanitized {{ label|raw }} Twig filter. The payload is stored in the database. When a second administrator or privileged content editor opens any control-panel section that renders the poisoned field, the JavaScript executes in their browser session without any visible indication, capturing their session cookie and forwarding it to an attacker-controlled endpoint. The attacker then replays the session token, gaining persistent access under the victim's identity — including rights to modify data schemas feeding an AI/ML pipeline, alter training labels, or export sensitive content.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N References
- github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2 patch
- github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276 patch
- github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx vendor-advisory
- vulncheck.com/advisories/craft-cms-multiple-stored-cross-site-scripting-in-settings-names-and-field-options third-party-advisory
Timeline
Related Vulnerabilities
CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Extraction CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution