CVE-2026-31859 is a reflected Cross-site Scripting (XSS) vulnerability in the Craft CMS, a popular content management system. The issue stems from an incomplete fix for a prior vulnerability (CVE-2025-35939) where the developers introduced a strip_tags() call in the src/web/User.php file to sanitize return URLs before storing them in user sessions. However, strip_tags() only removes HTML tags (angle brackets) but does not validate or filter URL schemes. As a result, payloads such as javascript:alert(document.cookie) bypass this sanitization because they contain no HTML tags and are stored unmodified. When these malicious return URLs are later rendered inside href attributes on web pages, they enable reflected XSS attacks. This vulnerability affects Craft CMS versions from 4.15.3 up to but not including 4.17.3, and 5.7.5 up to but not including 5.9.7. The flaw allows unauthenticated attackers to execute arbitrary JavaScript in the context of the victim's browser without any user interaction, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting a medium severity level due to its network attack vector, lack of required privileges or user interaction, and limited scope confined to the web application. The issue is resolved in Craft CMS versions 4.17.3 and 5.9.7 by presumably improving the sanitization and validation of return URLs to block dangerous schemes. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of relying solely on strip_tags() for input sanitization and the importance of validating URL schemes and contexts when rendering user-controlled data in HTML attributes.

The primary impact of CVE-2026-31859 is the potential for reflected Cross-site Scripting attacks against websites running vulnerable versions of Craft CMS. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users who visit crafted URLs containing malicious return URL parameters. This can lead to theft of session cookies, user impersonation, unauthorized actions on behalf of users, defacement, or redirection to malicious sites. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale by attackers. Organizations using affected Craft CMS versions risk compromise of user accounts, data leakage, and reputational damage. The vulnerability could also be leveraged as a stepping stone for further attacks such as phishing or malware distribution. Although no exploits are currently known in the wild, the medium severity score and ease of exploitation make timely remediation critical to prevent potential attacks. The impact is especially significant for organizations with public-facing websites relying on Craft CMS for content management, including e-commerce, media, and enterprise portals.

1. Upgrade Craft CMS to version 4.17.3 or 5.9.7 or later, where the vulnerability is fixed. 2. Review and enhance input validation and sanitization for all user-controllable URL parameters, ensuring that dangerous URL schemes such as javascript:, data:, vbscript: are explicitly blocked or filtered. 3. Avoid relying solely on strip_tags() for sanitizing URLs or HTML attributes; instead, use robust URL parsing and validation libraries that enforce scheme whitelisting. 4. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the impact of potential XSS vulnerabilities. 5. Conduct thorough security testing, including automated and manual penetration testing focused on XSS vectors, especially in URL parameters and session handling code. 6. Educate developers on secure coding practices related to output encoding and context-aware sanitization to prevent similar issues. 7. Monitor web application logs and traffic for suspicious requests containing unusual URL schemes or XSS payload patterns. 8. If immediate upgrade is not feasible, consider temporary mitigations such as web application firewall (WAF) rules to detect and block malicious payloads targeting return URL parameters.