CVE-2026-55793

CVE-2026-55793 is a medium-severity cross-site scripting (XSS) vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, < 5.9.22. It is fixed in 5.9.53.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Craft CMS: Stored XSS via Structure entry title in table view

Stored XSS via Structure entry title in table view

An Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session.

The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping.

Execution was verified with alert(document.domain). Impact was verified against an elevated admin session by changing the admin user’s email through users/save-user, then using the password-reset flow to take over the account.

Preconditions

  • Attacker has createEntries + saveEntries on a Structure-type section (Author-style CP account; no admin permission required).
  • Victim has saveEntries on the same section. Craft only renders drag handles when structureEditable is true, which requires this permission, so any admin qualifies.
  • Section must be type Structure. Channel and Single sections are unaffected.
  • Poisoned entry must have no children at the time of the drag (fires on the 0-to-1 descendant transition).
  • For the email-change account-takeover path, the victim must currently have an elevated session. The stored XSS itself does not require elevation.

Root cause

ElementTableSorter.js lines 643-652:

const ancestorTitle = this._updateAncestors._$ancestor.data('title');
$(
  '<button … aria-label="' +
    Craft.t('app', 'Show {title} children', {title: ancestorTitle}) +
  '"></button>'
).insertAfter(…);

Craft.t with a {title} token calls _parseToken, reaches case 'none': return arg (Craft.js:193-194), and returns the title verbatim. The result is handed to jQuery's $() and parsed as HTML.

The server-side template correctly encodes the entry title into data-title, but the browser decodes that attribute before jQuery returns it from .data('title'). At that point the value is attacker-controlled HTML, and it is inserted into the aria-label attribute without Craft.escapeHtml().

Steps to reproduce

Plant (attacker - Author account):

python3 poc.py --url http://target --cp admin \
  --user [email protected] --pass secret --section mySection

Trigger (victim - any control panel user with saveEntries, e.g. admin):

  1. Open the section index in Table view.
  2. Drag the "Drag me" entry and drop it as the first child of the poisoned entry.

alert(document.domain) fires in the victim’s session.

Impact payload tested in an elevated admin session (249 chars, within the 255-char title limit):

"><img src=x onerror="fetch(Craft.actionUrl+'users/save-user',{method:'POST',body:Craft.csrfTokenName+'='+encodeURIComponent(Craft.csrfTokenValue)+'&userId=1&email=attacker%40evil.com',headers:{'Content-Type':'application/x-www-form-urlencoded'}})">

When triggered during an elevated admin session, the admin’s email is changed to the attacker-controlled address. The attacker can then request a password reset and receive the reset link.

Mitigating factors

  • Requires an existing control panel account (Author role minimum).
  • Victim must perform a drag operation, not just visit the page.
  • The demonstrated email-change takeover requires the victim’s session to be elevated at trigger time.

Resources

https://github.com/craftcms/cms/commit/162321e899cc97517fb6f5a02b5528f549d0c6cc

Impact

Stored XSS in the control panel from an Author-level account. The payload runs as the victim control panel user and can use Craft.csrfTokenName / Craft.csrfTokenValue to send same-origin action requests as that user.

In my test environment, triggering the payload in an elevated admin session allowed Author-to-admin account takeover via admin email change and password reset.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

craftcms/cms (>= 5.0.0-RC1, < 5.9.22)

Security releases

craftcms/cms → 5.9.53 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade craftcms/cms to 5.9.53 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-55793? CVE-2026-55793 is a medium-severity cross-site scripting (XSS) vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, < 5.9.22. It is fixed in 5.9.53. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of craftcms/cms are affected by CVE-2026-55793? craftcms/cms (composer) versions >= 5.0.0-RC1, < 5.9.22 is affected.
  3. Is there a fix for CVE-2026-55793? Yes. CVE-2026-55793 is fixed in 5.9.53. Upgrade to this version or later.
  4. Is CVE-2026-55793 exploitable, and should I be worried? Whether CVE-2026-55793 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-55793 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-55793? Upgrade craftcms/cms to 5.9.53 or later.

Other vulnerabilities in craftcms/cms

Stop the waste.
Protect your environment with Kodem.