XSS in Craftcms Cms

CVE-2026-33051

Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.9.0-beta.1, < 5.9.11

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq (x_refsource_CONFIRM)
https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1 (x_refsource_MISC)
https://github.com/craftcms/cms/releases/tag/5.9.11 (x_refsource_MISC)