CVE-2026-33051: Craft CMS Vulnerable to Stored XSS in Revision Context Menu

March 18, 2026 (updated March 20, 2026)

The revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves.

If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator.

Users should update to Craft 5.9.11 with the patch to mitigate the issue.

References

github.com/advisories/GHSA-3x4w-mxpf-fhqq
github.com/craftcms/cms
github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1
github.com/craftcms/cms/releases/tag/5.9.11
github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
nvd.nist.gov/vuln/detail/CVE-2026-33051

Code Behaviors & Features

Detect and mitigate CVE-2026-33051 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →