GHSA-FVWQ-45QV-XVHV
Vulnerability from github – Published: 2026-03-11 00:26 – Updated: 2026-03-11 20:44Summary
The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute.
Details
The patched code in is:
public function setReturnUrl($url): void
{
parent::setReturnUrl(strip_tags($url));
}
strip_tags() removes HTML tags (e.g., <script>, <img>) from a string, but it is not a URL sanitizer. When the sanitized return URL is subsequently rendered in an href attribute context (e.g., <a href="{{ returnUrl }}">), the following dangerous payloads survive strip_tags() completely unmodified:
-
javascript:protocol URLs --javascript:alert(document.cookie)contains no HTML tags, sostrip_tags()returns it verbatim. When placed in anhref, clicking the link executes the JavaScript. -
data:URIs --data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==uses Base64 encoding and contains no tags at all, bypassingstrip_tags()entirely. -
Protocol-relative URLs --
//evil.com/stealcontains no tags and is passed through unchanged. When rendered as anhref, the browser resolves it relative to the current page’s protocol, redirecting the user to an attacker-controlled domain.
The core issue is that strip_tags() operates on HTML syntax (angle brackets) while the threat model here requires URL scheme validation. These are fundamentally different security concerns.
Impact
Reflected XSS via crafted return URL. An attacker constructs a malicious link such as https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie) and sends it to a victim. The attack flow is:
- Victim clicks the link, visiting the Craft CMS site.
- The application calls
setReturnUrl()with the attacker-controlled value. strip_tags()processes the URL but finds no HTML tags -- it passes through unchanged.- The URL is stored in the session and later rendered in an
hrefattribute (e.g., a "Return" or "Continue" link). - When the victim clicks that link,
javascript:alert(document.cookie)executes in the context of the Craft CMS origin.
This enables:
- Session hijacking via cookie theft (document.cookie)
- Data exfiltration via fetch() to an attacker-controlled server
- Phishing by redirecting to a lookalike domain (protocol-relative URL)
- CSRF by performing actions on behalf of the authenticated user
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.2"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.15.3"
},
{
"fixed": "4.17.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.9.6"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.7.5"
},
{
"fixed": "5.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31859"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:26:13Z",
"nvd_published_at": "2026-03-11T18:16:24Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute.\n\n### Details\nThe patched code in is:\n\n```php\npublic function setReturnUrl($url): void\n{\n parent::setReturnUrl(strip_tags($url));\n}\n```\n\n`strip_tags()` removes HTML tags (e.g., `\u003cscript\u003e`, `\u003cimg\u003e`) from a string, but it is **not** a URL sanitizer. When the sanitized return URL is subsequently rendered in an `href` attribute context (e.g., `\u003ca href=\"{{ returnUrl }}\"\u003e`), the following dangerous payloads survive `strip_tags()` completely unmodified:\n\n1. **`javascript:` protocol URLs** -- `javascript:alert(document.cookie)` contains no HTML tags, so `strip_tags()` returns it verbatim. When placed in an `href`, clicking the link executes the JavaScript.\n\n2. **`data:` URIs** -- `data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==` uses Base64 encoding and contains no tags at all, bypassing `strip_tags()` entirely.\n\n3. **Protocol-relative URLs** -- `//evil.com/steal` contains no tags and is passed through unchanged. When rendered as an `href`, the browser resolves it relative to the current page\u2019s protocol, redirecting the user to an attacker-controlled domain.\n\nThe core issue is that `strip_tags()` operates on HTML syntax (angle brackets) while the threat model here requires URL scheme validation. These are fundamentally different security concerns.\n\n### Impact\n\n**Reflected XSS via crafted return URL.** An attacker constructs a malicious link such as `https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie)` and sends it to a victim. The attack flow is:\n\n1. Victim clicks the link, visiting the Craft CMS site.\n2. The application calls `setReturnUrl()` with the attacker-controlled value.\n3. `strip_tags()` processes the URL but finds no HTML tags -- it passes through unchanged.\n4. The URL is stored in the session and later rendered in an `href` attribute (e.g., a \"Return\" or \"Continue\" link).\n5. When the victim clicks that link, `javascript:alert(document.cookie)` executes in the context of the Craft CMS origin.\n\nThis enables:\n- **Session hijacking** via cookie theft (`document.cookie`)\n- **Data exfiltration** via `fetch()` to an attacker-controlled server\n- **Phishing** by redirecting to a lookalike domain (protocol-relative URL)\n- **CSRF** by performing actions on behalf of the authenticated user",
"id": "GHSA-fvwq-45qv-xvhv",
"modified": "2026-03-11T20:44:34Z",
"published": "2026-03-11T00:26:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31859"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/cc9921c14897ee2b592a431c2356af8a04ce4cfe"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.