GHSA-g3hp-vvqf-8vw6: Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page

March 11, 2026

A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user’s permissions.

[!NOTE] This is a separate vulnerability from the previously reported “Stored XSS via User Group Name in User Settings Page” and “Multiple Stored XSS in User Group Edit Page”. This affects a different sink: the individual user’s permissions page.

References

github.com/advisories/GHSA-g3hp-vvqf-8vw6
github.com/craftcms/cms
github.com/craftcms/cms/releases/tag/5.8.22
github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6

Code Behaviors & Features

Detect and mitigate GHSA-g3hp-vvqf-8vw6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →