XSS in Craftcms Cms

CVE-2026-31859

Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTM…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (12.7th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 4.15.3, < 4.17.3, >= 5.7.5, < 5.9.7

Weakness classification (CWE)

References

https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv (x_refsource_CONFIRM)