Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Juzaweb |
|
No data.
No data.
References
History
Sun, 21 Jun 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions. | |
| Title | Craft CMS - Stored XSS via User Group Name in User Permissions Page | |
| First Time appeared |
Juzaweb
Juzaweb cms |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Juzaweb
Juzaweb cms |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-21T13:26:58.292Z
Updated: 2026-06-21T13:26:58.292Z
Reserved: 2026-06-21T02:05:47.495Z
Link: CVE-2026-56381
Vulnrichment
No data.
NVD
No data.
Redhat
No data.