CVE-2026-31859: CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

March 11, 2026

The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) – it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute.

References

github.com/advisories/GHSA-fvwq-45qv-xvhv
github.com/craftcms/cms
github.com/craftcms/cms/commit/cc9921c14897ee2b592a431c2356af8a04ce4cfe
github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv
nvd.nist.gov/vuln/detail/CVE-2026-31859

Code Behaviors & Features

Detect and mitigate CVE-2026-31859 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →