EXECUTIVE SUMMARY:
A stored cross-site scripting (XSS) vulnerability has been noted in CVE-2026-33051 the Craft CMS platform affecting specific versions of the craft cms package. The issue arises due to improper handling of user-supplied input within the revision or draft context menu, where a users fullName field is rendered as raw HTML without proper sanitization. An attacker with low-level access, such as an author account, can inject a malicious script segment into their profile and trigger its execution when an administrator views or interacts with crafted content. Successful exploitation may allow privilege escalation, enabling the attacker to gain administrative access under certain conditions, particularly when an elevated session is active. This vulnerability the risks associated with improper output encoding and demonstrates how seemingly low-privileged access can be leveraged to achieve higher control within affected environments. The vulnerability has a CVSS score of 5.3.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: