{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31859", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.012Z", "datePublished": "2026-03-11T17:37:19.065Z", "dateUpdated": "2026-03-12T14:00:23.631Z"}, "containers": {"cna": {"title": "Craft has Reflective XSS via incomplete return URL sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.15.3, < 4.17.3", "status": "affected"}, {"version": ">= 5.7.5, < 5.9.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:37:19.065Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3."}], "source": {"advisory": "GHSA-fvwq-45qv-xvhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:00:11.429488Z", "id": "CVE-2026-31859", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:00:23.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31859", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:00:11.429488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:00:16.047Z"}}], "cna": {"title": "Craft has Reflective XSS via incomplete return URL sanitization", "source": {"advisory": "GHSA-fvwq-45qv-xvhv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.15.3, < 4.17.3"}, {"status": "affected", "version": ">= 5.7.5, < 5.9.7"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:37:19.065Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31859", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:00:23.631Z", "dateReserved": "2026-03-09T19:02:25.012Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:37:19.065Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "4634EACF-27D5-4F3E-8314-9E02BB40E83F", "versionEndExcluding": "4.17.3", "versionStartIncluding": "4.15.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6802B26-EF36-4A1A-A589-DC92FBCE4D85", "versionEndExcluding": "5.9.7", "versionStartIncluding": "5.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenidos (CMS). La correcci\u00f3n para CVE-2025-35939 en craftcms/cms introdujo una llamada a strip_tags() en src/web/User.php para depurar las URL de retorno antes de que se almacenen en la sesi\u00f3n. Sin embargo, strip_tags() solo elimina las etiquetas HTML (corchetes angulares); no inspecciona ni filtra los esquemas de URL. Las cargas \u00fatiles como javascript:alert(document.cookie) no contienen etiquetas HTML y pasan por strip_tags() sin sufrir ninguna modificaci\u00f3n, lo que permite un XSS reflejado cuando la URL de retorno se representa en un atributo href. Esta vulnerabilidad se ha corregido en las versiones 5.9.7 y 4.17.3."}], "id": "CVE-2026-31859", "lastModified": "2026-03-17T14:03:57.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T18:16:24.710", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.15.3,4.17.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.7.5,5.9.7)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-17T17:09:13.271257+00:00", "value": {"mitigation_remediation": ["Apply the official patch v5.9.7 or v4.17.3 (or any newer release) to eliminate the vulnerable return URL handling."], "summary": {"action": "Apply Patch", "impact": "Reflected XSS"}, "threat_synthesis": {"affected_systems": "The affected product is Craft CMS (craftcms:cms). All releases prior to the patch versions 5.9.7 and 4.17.3 contain the vulnerability. Updates to these or later versions contain the correct sanitization mechanism.", "description_and_impact": "The vulnerability arises from incomplete sanitization of return URLs in Craft CMS. The implemented strip_tags() call removes only angle\u2010bracketed HTML tags but does not filter URL schemes, allowing payloads such as javascript:alert(document.cookie) to survive. When the unsanitized return URL is later rendered in an href attribute, a reflected XSS attack can be triggered, leading to the execution of arbitrary JavaScript in the victim\u2019s browser, which may compromise confidentiality of user data, hijack sessions, or perform other malicious actions. The weakness is identified as CWE-116 (Improper Encoding for Output) and CWE-79 (Improper Neutralization of Input).", "risk_and_exploitability": "The CVSS score is 6.9, indicating a medium to high severity, while the EPSS score is below 1%, signifying a low probability of real\u2011world exploitation at the time of assessment. The alert is not listed in CISA\u2019s KEV catalog. The attack vector is user\u2011controlled: an adversary can embed a malicious return URL in a link or redirect, and a victim who clicks the link will trigger the XSS payload. The requirement for user interaction and the fact that the attack occurs only when the return URL is rendered in an HTML attribute are key factors that modestly reduce overall risk but do not eliminate it."}}}}, "created": "2026-03-12T09:57:34.748231+00:00", "updated": "2026-03-20T15:30:11.679148+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}