Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Craft CMS Allows Malicious Code in Settings Names and Labels
GHSA-4mgv-366x-qxvx
Summary
A weakness in Craft CMS allows an attacker to inject malicious code into settings names and labels. This could allow them to manipulate the appearance of the website or steal user data. Update Craft CMS to the latest version to fix this vulnerability.
What to do
- Update craftcms cms to version 5.9.0-beta.1.
- Update craftcms cms to version 4.17.0-beta.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 5.0.0-RC1 , <= 5.9.0-beta.1 | 5.9.0-beta.1 |
| craftcms | cms | > 4.0.0-RC1 , <= 4.17.0-beta.1 | 4.17.0-beta.1 |
Original title
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
Original description
## Overview of all XSS Reports
Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into **4 reports** as follows:
| Report | What's Vulnerable | Why Separate |
|--------|-------------------|--------------|
| **This Report (1)** | Multiple settings names | Twig Template: `_includes/forms/checkbox.twig` |
| **Report 2** | Entry Types Name | Twig Template: `_includes/forms/editableTable.twig` |
| **Report 3** | Card Attributes in Field Layout | `helpers/Cp.php` |
| **Report 4 (Commerce)** | Product Type Name | Source in Commerce, sink in CMS - will report this one via Commerce GHSA |
Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.
**Note:** This overview is only in this Report. Other reports only reference this one.
---
## Summary
Stored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.
---
## Affected Sources
| # | Source (injection point) | Sink (where payload reflects) |
| --- | ------------------------------------------------------------------------ | --------------------------------------------- |
| 1 | Section Name (`/admin/settings/sections`) | Entries field -> Sources checklist |
| 2 | Volume Name (`/admin/settings/assets/volumes/{vol_id}`) | Assets field -> Sources checklist |
| 3 | User Group Name (`/admin/settings/users/groups`) | Users field -> Sources, User permissions page |
| 4 | Global Set Name (`/admin/settings/globals`) | User permissions page |
| 5 | Generated Fields Name (Volumes, Users, etc.) | Card Attributes checkboxes |
| 6 | Checkboxes & Radio Buttons Field Option Label (`/admin/settings/fields`) | User profile pages |
| 7 | Custom Sources Label (`/admin/users` -> Customize Sources) | Users field -> Sources checklist |
---
## Proof of Concept
### Required Permissions (Attacker)
- Admin access
- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).
### Bugs 1-3: Section, Volume, User Group Names
1. Log in as admin.
2. Inject payload in one of these:
- **Settings** -> **Sections** -> Create/edit section -> **Name**
- **Settings** -> **Assets** -> **Volumes** -> Create/edit volume -> **Name**
- **Settings** -> **Users** -> **User Groups** -> Create/edit group -> **Name**
3. Set **Name** to:
```html
<img src=x onerror="alert('XSS')">
```
4. Save.
5. Go to **Settings** -> **Fields** -> Create new field.
6. To trigger the XSS payload: Set **Field Type** to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.
**Note:** User Group Name also reflects on **User permissions page** under **User Groups** section (`/admin/users/{id}/permissions`).
---
### Bug 4: Global Set Name
1. Go to **Settings** -> **Globals** (`/admin/settings/globals`).
2. Create/edit a Global Set, set **Name** to payload.
3. Save.
4. Go to **Users** -> Edit any user -> **Permissions** tab (`/admin/users/{id}/permissions`).
5. Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.
---
### Bug 5: Generated Fields Name
1. Go to **Settings** -> **Assets** -> **Volumes** -> Create/Edit a volume.
2. Scroll to **Generated Fields** section.
3. Add a field, set **Name** to payload:
```html
<img src=x onerror="alert('XSS')">
```
4. Save & Notice the alert. The payload renders in the **Card Attributes** checkbox list below it.
---
### Bug 6: Checkboxes/Radio Buttons Option Label
1. Go to **Settings** -> **Fields** (`/admin/settings/fields`).
2. Create new field, set **Field Type** to "Checkboxes" or "Radio Buttons".
3. In **Field Options**, add an option with **Label** set to payload.
4. Save the field.
5. Go to **Settings** -> **Users** -> **User Profile Fields** (`/admin/settings/users/fields`).
6. Add the created field to the layout and save.
7. Alert fires on any user profile page (`/admin/users/{id}`).
---
### Bug 7: Custom Sources Label
1. Go to **Users** (`/admin/users`).
2. Click the three dots icon -> **Customize Sources**.
3. Create a new custom source, set **Label** to payload.
4. Save.
5. Go to **Settings** -> **Fields** -> Create new field.
6. Set **Field Type** to "Users".
7. Alert fires in the Sources checkbox list.
## Resources
https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276
https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2
Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into **4 reports** as follows:
| Report | What's Vulnerable | Why Separate |
|--------|-------------------|--------------|
| **This Report (1)** | Multiple settings names | Twig Template: `_includes/forms/checkbox.twig` |
| **Report 2** | Entry Types Name | Twig Template: `_includes/forms/editableTable.twig` |
| **Report 3** | Card Attributes in Field Layout | `helpers/Cp.php` |
| **Report 4 (Commerce)** | Product Type Name | Source in Commerce, sink in CMS - will report this one via Commerce GHSA |
Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.
**Note:** This overview is only in this Report. Other reports only reference this one.
---
## Summary
Stored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.
---
## Affected Sources
| # | Source (injection point) | Sink (where payload reflects) |
| --- | ------------------------------------------------------------------------ | --------------------------------------------- |
| 1 | Section Name (`/admin/settings/sections`) | Entries field -> Sources checklist |
| 2 | Volume Name (`/admin/settings/assets/volumes/{vol_id}`) | Assets field -> Sources checklist |
| 3 | User Group Name (`/admin/settings/users/groups`) | Users field -> Sources, User permissions page |
| 4 | Global Set Name (`/admin/settings/globals`) | User permissions page |
| 5 | Generated Fields Name (Volumes, Users, etc.) | Card Attributes checkboxes |
| 6 | Checkboxes & Radio Buttons Field Option Label (`/admin/settings/fields`) | User profile pages |
| 7 | Custom Sources Label (`/admin/users` -> Customize Sources) | Users field -> Sources checklist |
---
## Proof of Concept
### Required Permissions (Attacker)
- Admin access
- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).
### Bugs 1-3: Section, Volume, User Group Names
1. Log in as admin.
2. Inject payload in one of these:
- **Settings** -> **Sections** -> Create/edit section -> **Name**
- **Settings** -> **Assets** -> **Volumes** -> Create/edit volume -> **Name**
- **Settings** -> **Users** -> **User Groups** -> Create/edit group -> **Name**
3. Set **Name** to:
```html
<img src=x onerror="alert('XSS')">
```
4. Save.
5. Go to **Settings** -> **Fields** -> Create new field.
6. To trigger the XSS payload: Set **Field Type** to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.
**Note:** User Group Name also reflects on **User permissions page** under **User Groups** section (`/admin/users/{id}/permissions`).
---
### Bug 4: Global Set Name
1. Go to **Settings** -> **Globals** (`/admin/settings/globals`).
2. Create/edit a Global Set, set **Name** to payload.
3. Save.
4. Go to **Users** -> Edit any user -> **Permissions** tab (`/admin/users/{id}/permissions`).
5. Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.
---
### Bug 5: Generated Fields Name
1. Go to **Settings** -> **Assets** -> **Volumes** -> Create/Edit a volume.
2. Scroll to **Generated Fields** section.
3. Add a field, set **Name** to payload:
```html
<img src=x onerror="alert('XSS')">
```
4. Save & Notice the alert. The payload renders in the **Card Attributes** checkbox list below it.
---
### Bug 6: Checkboxes/Radio Buttons Option Label
1. Go to **Settings** -> **Fields** (`/admin/settings/fields`).
2. Create new field, set **Field Type** to "Checkboxes" or "Radio Buttons".
3. In **Field Options**, add an option with **Label** set to payload.
4. Save the field.
5. Go to **Settings** -> **Users** -> **User Profile Fields** (`/admin/settings/users/fields`).
6. Add the created field to the layout and save.
7. Alert fires on any user profile page (`/admin/users/{id}`).
---
### Bug 7: Custom Sources Label
1. Go to **Users** (`/admin/users`).
2. Click the three dots icon -> **Customize Sources**.
3. Create a new custom source, set **Label** to payload.
4. Save.
5. Go to **Settings** -> **Fields** -> Create new field.
6. Set **Field Type** to "Users".
7. Alert fires in the Sources checkbox list.
## Resources
https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276
https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2
ghsa CVSS4.0
2.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026