GHSA-XRQC-P465-2XVG

Vulnerability from github – Published: 2026-07-06 21:35 – Updated: 2026-07-06 21:35
VLAI
Summary
Craft CMS: Stored XSS via Structure entry title in table view
Details

Stored XSS via Structure entry title in table view

Summary

An Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session.

The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping.

Execution was verified with alert(document.domain). Impact was verified against an elevated admin session by changing the admin user’s email through users/save-user, then using the password-reset flow to take over the account.

Preconditions

  • Attacker has createEntries + saveEntries on a Structure-type section (Author-style CP account; no admin permission required).
  • Victim has saveEntries on the same section. Craft only renders drag handles when structureEditable is true, which requires this permission, so any admin qualifies.
  • Section must be type Structure. Channel and Single sections are unaffected.
  • Poisoned entry must have no children at the time of the drag (fires on the 0-to-1 descendant transition).
  • For the email-change account-takeover path, the victim must currently have an elevated session. The stored XSS itself does not require elevation.

Root cause

ElementTableSorter.js lines 643-652:

const ancestorTitle = this._updateAncestors._$ancestor.data('title');
$(
  '<button … aria-label="' +
    Craft.t('app', 'Show {title} children', {title: ancestorTitle}) +
  '"></button>'
).insertAfter(…);

Craft.t with a {title} token calls _parseToken, reaches case 'none': return arg (Craft.js:193-194), and returns the title verbatim. The result is handed to jQuery's $() and parsed as HTML.

The server-side template correctly encodes the entry title into data-title, but the browser decodes that attribute before jQuery returns it from .data('title'). At that point the value is attacker-controlled HTML, and it is inserted into the aria-label attribute without Craft.escapeHtml().

Steps to reproduce

Plant (attacker - Author account):

python3 poc.py --url http://target --cp admin \
  --user author@example.com --pass secret --section mySection

Trigger (victim - any control panel user with saveEntries, e.g. admin):

  1. Open the section index in Table view.
  2. Drag the "Drag me" entry and drop it as the first child of the poisoned entry.

alert(document.domain) fires in the victim’s session.

Impact payload tested in an elevated admin session (249 chars, within the 255-char title limit):

"><img src=x onerror="fetch(Craft.actionUrl+'users/save-user',{method:'POST',body:Craft.csrfTokenName+'='+encodeURIComponent(Craft.csrfTokenValue)+'&userId=1&email=attacker%40evil.com',headers:{'Content-Type':'application/x-www-form-urlencoded'}})">

When triggered during an elevated admin session, the admin’s email is changed to the attacker-controlled address. The attacker can then request a password reset and receive the reset link.

Impact

Stored XSS in the control panel from an Author-level account. The payload runs as the victim control panel user and can use Craft.csrfTokenName / Craft.csrfTokenValue to send same-origin action requests as that user.

In my test environment, triggering the payload in an elevated admin session allowed Author-to-admin account takeover via admin email change and password reset.

Mitigating factors

  • Requires an existing control panel account (Author role minimum).
  • Victim must perform a drag operation, not just visit the page.
  • The demonstrated email-change takeover requires the victim’s session to be elevated at trigger time.

Resources

https://github.com/craftcms/cms/commit/162321e899cc97517fb6f5a02b5528f549d0c6cc

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 5.9.22"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T21:35:02Z",
    "nvd_published_at": "2026-07-01T22:16:50Z",
    "severity": "MODERATE"
  },
  "details": "# Stored XSS via Structure entry title in table view\n\n## Summary\n\nAn Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with `saveEntries` for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim\u2019s session.\n\nThe issue is exploitable because the title is escaped into `data-title` by the server, decoded again by the browser, read with jQuery `.data(\u0027title\u0027)`, and then concatenated into a new HTML string without attribute escaping.\n\nExecution was verified with `alert(document.domain)`. Impact was verified against an elevated admin session by changing the admin user\u2019s email through `users/save-user`, then using the password-reset flow to take over the account.\n\n## Preconditions\n\n- Attacker has `createEntries` + `saveEntries` on a Structure-type section (Author-style CP account; no admin permission required).\n- Victim has `saveEntries` on the same section. Craft only renders drag handles when `structureEditable` is true, which requires this permission, so any admin qualifies.\n- Section must be type Structure. Channel and Single sections are unaffected.\n- Poisoned entry must have no children at the time of the drag (fires on the 0-to-1 descendant transition).\n- For the email-change account-takeover path, the victim must currently have an elevated session. The stored XSS itself does not require elevation.\n\n## Root cause\n\n`ElementTableSorter.js` lines 643-652:\n\n```js\nconst ancestorTitle = this._updateAncestors._$ancestor.data(\u0027title\u0027);\n$(\n  \u0027\u003cbutton \u2026 aria-label=\"\u0027 +\n    Craft.t(\u0027app\u0027, \u0027Show {title} children\u0027, {title: ancestorTitle}) +\n  \u0027\"\u003e\u003c/button\u003e\u0027\n).insertAfter(\u2026);\n```\n\n`Craft.t` with a `{title}` token calls `_parseToken`, reaches `case \u0027none\u0027: return arg` (`Craft.js:193-194`), and returns the title verbatim. The result is handed to jQuery\u0027s `$()` and parsed as HTML.\n\nThe server-side template correctly encodes the entry title into `data-title`, but the browser decodes that attribute before jQuery returns it from `.data(\u0027title\u0027)`. At that point the value is attacker-controlled HTML, and it is inserted into the `aria-label` attribute without `Craft.escapeHtml()`.\n\n## Steps to reproduce\n\n**Plant (attacker - Author account):**\n\n```bash\npython3 poc.py --url http://target --cp admin \\\n  --user author@example.com --pass secret --section mySection\n```\n\n**Trigger (victim - any control panel user with `saveEntries`, e.g. admin):**\n\n1. Open the section index in Table view.\n2. Drag the \"Drag me\" entry and drop it as the first child of the poisoned entry.\n\n`alert(document.domain)` fires in the victim\u2019s session.\n\n**Impact payload tested in an elevated admin session (249 chars, within the 255-char title limit):**\n\n```html\n\"\u003e\u003cimg src=x onerror=\"fetch(Craft.actionUrl+\u0027users/save-user\u0027,{method:\u0027POST\u0027,body:Craft.csrfTokenName+\u0027=\u0027+encodeURIComponent(Craft.csrfTokenValue)+\u0027\u0026userId=1\u0026email=attacker%40evil.com\u0027,headers:{\u0027Content-Type\u0027:\u0027application/x-www-form-urlencoded\u0027}})\"\u003e\n```\n\nWhen triggered during an elevated admin session, the admin\u2019s email is changed to the attacker-controlled address. The attacker can then request a password reset and receive the reset link.\n\n## Impact\n\nStored XSS in the control panel from an Author-level account. The payload runs as the victim control panel user and can use `Craft.csrfTokenName` / `Craft.csrfTokenValue` to send same-origin action requests as that user.\n\nIn my test environment, triggering the payload in an elevated admin session allowed Author-to-admin account takeover via admin email change and password reset.\n\n## Mitigating factors\n\n- Requires an existing control panel account (Author role minimum).\n- Victim must perform a drag operation, not just visit the page.\n- The demonstrated email-change takeover requires the victim\u2019s session to be elevated at trigger time.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/162321e899cc97517fb6f5a02b5528f549d0c6cc",
  "id": "GHSA-xrqc-p465-2xvg",
  "modified": "2026-07-06T21:35:02Z",
  "published": "2026-07-06T21:35:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-xrqc-p465-2xvg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/162321e899cc97517fb6f5a02b5528f549d0c6cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS: Stored XSS via Structure entry title in table view"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…