CVE-2026-31859

MEDIUMPre-NVD 0.0

0.0

CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

Summary

The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute.

Details

The patched code in is:

public function setReturnUrl($url): void
{
    parent::setReturnUrl(strip_tags($url));
}

strip_tags() removes HTML tags (e.g., `, ) from a string, but it is not a URL sanitizer. When the sanitized return URL is subsequently rendered in an href attribute context (e.g., ), the following dangerous payloads survive strip_tags()completely unmodified:

javascript: protocol URLs -- javascript:alert(document.cookie) contains no HTML tags, so strip_tags() returns it verbatim. When placed in an href, clicking the link executes the JavaScript.

data: URIs -- data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== uses Base64 encoding and contains no tags at all, bypassing strip_tags() entirely.

Protocol-relative URLs -- //evil.com/steal contains no tags and is passed through unchanged. When rendered as an href, the browser resolves it relative to the current page’s protocol, redirecting the user to an attacker-controlled domain.

The core issue is that strip_tags() operates on HTML syntax (angle brackets) while the threat model here requires URL scheme validation. These are fundamentally different security concerns.

`Impact`

Reflected XSS via crafted return URL. An attacker constructs a malicious link such as https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie)and sends it to a victim. The attack flow is:

Victim clicks the link, visiting the Craft CMS site.

The application calls setReturnUrl() with the attacker-controlled value.

strip_tags() processes the URL but finds no HTML tags -- it passes through unchanged.

The URL is stored in the session and later rendered in an href attribute (e.g., a "Return" or "Continue" link).

When the victim clicks that link, javascript:alert(document.cookie) executes in the context of the Craft CMS origin.

This enables:

Session hijacking via cookie theft (document.cookie)

Data exfiltration via fetch()` to an attacker-controlled server
Phishing by redirecting to a lookalike domain (protocol-relative URL)
CSRF by performing actions on behalf of the authenticated user

CVSS v3: —
EG Score: 0.0(none)
EPSS: 12.8%
KEV: Not listed

Published

March 11, 2026

Last Modified

March 11, 2026

Vendor Advisories for CVE-2026-31859(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-fvwq-45qv-xvhv
GitHub Security AdvisoriesMedium
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

Data Freshness Timeline

(refreshed 18× in last 7d / 18× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 13:44 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-25 06:37 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-31859?

CVE-2026-31859 is a medium vulnerability published on March 11, 2026. CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization Summary The fix for CVE-2025-35939 in craftcms/cms introduced a striptags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, striptags() only removes HTML tags (angle…

When was CVE-2026-31859 disclosed?

CVE-2026-31859 was first published in the National Vulnerability Database on March 11, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-31859 actively exploited?

CVE-2026-31859 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 12.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

How do I remediate CVE-2026-31859?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-31859, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-31859

Explore →

Is Your Infrastructure Affected by CVE-2026-31859?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-31859

Summary

Details

Impact

📅 Published

🔄 Last Modified

📣 Vendor Advisories for CVE-2026-31859(1)