CVE-2026-31859
- Source
- https://cve.org/CVERecord?id=CVE-2026-31859
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31859.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-31859
- Aliases
- Published
- 2026-03-11T17:37:19.065Z
- Modified
- 2026-04-02T13:24:02.694083Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Craft has Reflective XSS via incomplete return URL sanitization
- Details
-
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a striptags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, striptags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
- Database specific
{ "cwe_ids": [ "CWE-116", "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31859.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/craftcms/cms
Affected ranges
Affected versions
4.*
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.18
4.16.19
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.17.0
4.17.0-beta.1
4.17.0-beta.2
4.17.1
4.17.2
5.*
5.7.10
5.7.11
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.8.0
5.8.1
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.2
5.8.20
5.8.21
5.8.22
5.8.23
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.9.0
5.9.0-beta.1
5.9.0-beta.2
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6