Listen to this Post
The vulnerability is a stored Cross-Site Scripting (XSS) issue found in the Craft CMS control panel. It resides in the User Permissions page, where the names of User Groups are displayed. When rendering these group names in the permissions section for a specific user, the application fails to properly escape HTML entities. This allows an attacker with the necessary permissions to create a User Group with a name containing malicious JavaScript code. Subsequently, when any other administrator or user with access views or edits the permissions of any user, the malicious script executes within their browser in the context of the control panel. The attacker does not need to trick the victim into clicking a link; the script executes automatically when the page loads. Successful exploitation could lead to unauthorized actions, data theft, or session hijacking within the vulnerable CMS instance. The vulnerability is considered distinct from previous XSS issues in other areas of the group settings. A patch has been issued by the vendor .
Platform: Craft CMS
Version: (Unspecified, affects versions before patch)
Vulnerability: Stored XSS
Severity: Low
Date: Mar 11, 2026
Prediction: Patched already
What Undercode Say:
Analytics
- The vulnerability was published to the GitHub Advisory Database on March 11, 2026.
- It was reviewed and last updated on the same day.
- This is a separate issue from previously reported stored XSS vulnerabilities in other areas of User Group management.
How Exploit
An attacker can exploit this vulnerability by following these steps:
1. Navigate to the User Group creation page (e.g., /admin/settings/users).
2. Create a new User Group.
- In the “Name” field, input a malicious payload, for example:
<img src=x onerror="alert('XSS in Permissions Page')">
or
<script>alert(document.cookie)</script>
4. Save the new User Group.
- The attacker then waits for or lures a privileged user (e.g., an admin) to view or edit any user’s permissions page (e.g.,
/admin/users/{id}). The script will execute automatically when the page renders.
Protection from this CVE
- Immediate Update: Upgrade your Craft CMS installation to the latest patched version as referenced in the official GitHub advisory .
- Security Configuration: As a general security best practice, ensure `allowAdminChanges` is set to `false` in production environments, as enabled in the PoC .
- Input Sanitization: If a direct patch is unavailable, manually sanitize and escape all user inputs, especially those that are rendered back in the control panel, such as User Group names. Verify that the `templates/_includes/permissions.html` template uses proper escaping functions like `|escape` or
|e.
Impact
- An attacker can execute arbitrary JavaScript in the context of an authenticated administrator’s browser session.
- This can lead to session hijacking, where the attacker can steal session cookies and impersonate the victim.
- It could be used to perform privileged actions on behalf of the victim, such as creating new admin users, modifying site content, or exfiltrating sensitive data.
- The vulnerability allows for tampering with the Craft CMS control panel.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

