Vulnerability Description
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | >= 5.9.0, < 5.9.11 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1Patch
- https://github.com/craftcms/cms/releases/tag/5.9.11ProductRelease Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqqPatchVendor Advisory
FAQ
What is CVE-2026-33051?
CVE-2026-33051 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use...
How severe is CVE-2026-33051?
CVE-2026-33051 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33051?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.