Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-4mgv-366x-qxvx

Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

Published
Mar 3, 2026
Updated
Mar 4, 2026
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

Blast Radius

2 pkgs affected
🐘craftcms/cms🐘craftcms/cms

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Overview of all XSS Reports

Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into 4 reports as follows:

ReportWhat's VulnerableWhy Separate
This Report (1)Multiple settings namesTwig Template: _includes/forms/checkbox.twig
Report 2Entry Types NameTwig Template: _includes/forms/editableTable.twig
Report 3Card Attributes in Field Layouthelpers/Cp.php
Report 4 (Commerce)Product Type NameSource in Commerce, sink in CMS - will report this one via Commerce GHSA

Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.

Note: This overview is only in this Report. Other reports only reference this one.

Summary

Stored XSS in multiple settings. Names/labels are rendered without sanitization via checkbox.twig template which uses {{ label|raw }}.

Affected Sources

#Source (injection point)Sink (where payload reflects)
1Section Name (/admin/settings/sections)Entries field -> Sources checklist
2Volume Name (/admin/settings/assets/volumes/{vol_id})Assets field -> Sources checklist
3User Group Name (/admin/settings/users/groups)Users field -> Sources, User permissions page
4Global Set Name (/admin/settings/globals)User permissions page
5Generated Fields Name (Volumes, Users, etc.)Card Attributes checkboxes
6Checkboxes & Radio Buttons Field Option Label (/admin/settings/fields)User profile pages
7Custom Sources Label (/admin/users -> Customize Sources)Users field -> Sources checklist

Proof of Concept

Required Permissions (Attacker)

Bugs 1-3: Section, Volume, User Group Names

  1. Log in as admin.
  2. Inject payload in one of these:
    • Settings -> Sections -> Create/edit section -> Name
    • Settings -> Assets -> Volumes -> Create/edit volume -> Name
    • Settings -> Users -> User Groups -> Create/edit group -> Name
  3. Set Name to:
<img src=x onerror="alert('XSS')">
  1. Save.
  2. Go to Settings -> Fields -> Create new field.
  3. To trigger the XSS payload: Set Field Type to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.

Note: User Group Name also reflects on User permissions page under User Groups section (/admin/users/{id}/permissions).

Bug 4: Global Set Name

  1. Go to Settings -> Globals (/admin/settings/globals).
  2. Create/edit a Global Set, set Name to payload.
  3. Save.
  4. Go to Users -> Edit any user -> Permissions tab (/admin/users/{id}/permissions).
  5. Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.

Bug 5: Generated Fields Name

  1. Go to Settings -> Assets -> Volumes -> Create/Edit a volume.
  2. Scroll to Generated Fields section.
  3. Add a field, set Name to payload:
<img src=x onerror="alert('XSS')">
  1. Save & Notice the alert. The payload renders in the Card Attributes checkbox list below it.

Bug 6: Checkboxes/Radio Buttons Option Label

  1. Go to Settings -> Fields (/admin/settings/fields).
  2. Create new field, set Field Type to "Checkboxes" or "Radio Buttons".
  3. In Field Options, add an option with Label set to payload.
  4. Save the field.
  5. Go to Settings -> Users -> User Profile Fields (/admin/settings/users/fields).
  6. Add the created field to the layout and save.
  7. Alert fires on any user profile page (/admin/users/{id}).

Bug 7: Custom Sources Label

  1. Go to Users (/admin/users).
  2. Click the three dots icon -> Customize Sources.
  3. Create a new custom source, set Label to payload.
  4. Save.
  5. Go to Settings -> Fields -> Create new field.
  6. Set Field Type to "Users".
  7. Alert fires in the Sources checkbox list.

Resources

https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276 https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistcraftcms/cms5.0.0-RC1&&< 5.9.0-beta.15.9.0-beta.1
🐘Packagistcraftcms/cms4.0.0-RC1&&< 4.17.0-beta.14.17.0-beta.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for craftcms/cms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update craftcms/cms to 5.9.0-beta.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4mgv-366x-qxvx is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-4mgv-366x-qxvx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4mgv-366x-qxvx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Overview of all XSS Reports Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into **4 reports** as follows: | Report | What's Vulnerable | Why Separate | |--------|-------------------|--------------| | **This Report (1)** | Multiple settings names | Twig Template: `_includes/forms/checkbox.twig` | | **Report 2** | Entry Types Name | Twig Template: `_includes/forms/editableTable.twig` | | **Report 3** | Card Attributes in Field Layout | `helpers/Cp.php` | | **Report 4 (Commerce)** | Product Type Name | Source in Commerce, sink in CMS - will report this one via C
O3 Security · Impact-Aware SCA

Is GHSA-4mgv-366x-qxvx in your dependencies?

O3 detects GHSA-4mgv-366x-qxvx across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works