Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-fvwq-45qv-xvhv

CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

Also known asCVE-2026-31859
Published
Mar 11, 2026
Updated
Mar 13, 2026
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk8th percentile+0.14%
0.00%0.23%0.46%0.68%0.0%0.0%0.0%0.2%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected
🐘craftcms/cms🐘craftcms/cms

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute.

Details

The patched code in is:

public function setReturnUrl($url): void
{
    parent::setReturnUrl(strip_tags($url));
}

strip_tags() removes HTML tags (e.g., <script>, <img>) from a string, but it is not a URL sanitizer. When the sanitized return URL is subsequently rendered in an href attribute context (e.g., <a href="{{ returnUrl }}">), the following dangerous payloads survive strip_tags() completely unmodified:

  1. javascript: protocol URLs -- javascript:alert(document.cookie) contains no HTML tags, so strip_tags() returns it verbatim. When placed in an href, clicking the link executes the JavaScript.

  2. data: URIs -- data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== uses Base64 encoding and contains no tags at all, bypassing strip_tags() entirely.

  3. Protocol-relative URLs -- //evil.com/steal contains no tags and is passed through unchanged. When rendered as an href, the browser resolves it relative to the current page’s protocol, redirecting the user to an attacker-controlled domain.

The core issue is that strip_tags() operates on HTML syntax (angle brackets) while the threat model here requires URL scheme validation. These are fundamentally different security concerns.

Impact

Reflected XSS via crafted return URL. An attacker constructs a malicious link such as https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie) and sends it to a victim. The attack flow is:

  1. Victim clicks the link, visiting the Craft CMS site.
  2. The application calls setReturnUrl() with the attacker-controlled value.
  3. strip_tags() processes the URL but finds no HTML tags -- it passes through unchanged.
  4. The URL is stored in the session and later rendered in an href attribute (e.g., a "Return" or "Continue" link).
  5. When the victim clicks that link, javascript:alert(document.cookie) executes in the context of the Craft CMS origin.

This enables:

  • Session hijacking via cookie theft (document.cookie)
  • Data exfiltration via fetch() to an attacker-controlled server
  • Phishing by redirecting to a lookalike domain (protocol-relative URL)
  • CSRF by performing actions on behalf of the authenticated user

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistcraftcms/cms4.15.3&&< 4.17.34.17.3
🐘Packagistcraftcms/cms5.7.5&&< 5.9.75.9.7

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for craftcms/cms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update craftcms/cms to 4.17.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fvwq-45qv-xvhv is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-fvwq-45qv-xvhv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-fvwq-45qv-xvhv. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute. ### Details The patched code in is: ```php public function setReturnUrl($url): void { parent::setReturn
O3 Security · Impact-Aware SCA

Is GHSA-fvwq-45qv-xvhv in your dependencies?

O3 detects GHSA-fvwq-45qv-xvhv across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works