CVE-2026-31859 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Craft CMS, a popular content management system. The issue stems from an incomplete fix for a prior vulnerability (CVE-2025-35939), where developers introduced a strip_tags() call in the src/web/User.php file to sanitize return URLs before storing them in user sessions. However, strip_tags() only removes HTML tags (angle brackets) and does not validate or filter URL schemes such as javascript:, data:, or vbscript:. Consequently, an attacker can craft a malicious return URL containing a payload like javascript:alert(document.cookie), which bypasses the strip_tags() filter because it contains no HTML tags. When this malicious URL is later rendered in an href attribute on a web page, it triggers a reflected XSS attack. This vulnerability does not require any user authentication or interaction, making it easier to exploit remotely. The flaw affects Craft CMS versions >=4.15.3 and <4.17.3, and >=5.7.5 and <5.9.7, with patches released in versions 4.17.3 and 5.9.7. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited scope impact, resulting in a medium severity score of 6.9. Although no active exploits have been reported, the vulnerability poses a significant risk as it can lead to session hijacking, theft of sensitive information, or execution of arbitrary scripts in the context of the victim’s browser. The root cause is improper neutralization of input during web page generation (CWE-79) and insufficient input validation (CWE-116).

The primary impact of CVE-2026-31859 is the potential for attackers to execute arbitrary JavaScript in the browsers of users visiting vulnerable Craft CMS sites. This can lead to theft of session cookies, user credentials, or other sensitive data, enabling account takeover or unauthorized actions. Additionally, attackers could perform actions on behalf of users, deface websites, or deliver malware via drive-by downloads. Since the vulnerability is reflected and requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk to public-facing websites. Organizations relying on affected Craft CMS versions may suffer reputational damage, data breaches, and compliance violations if exploited. The flaw also undermines user trust in affected web applications. Although no known exploits are currently active, the ease of exploitation and the widespread use of Craft CMS in various industries amplify the potential impact globally.

To mitigate CVE-2026-31859, organizations should immediately upgrade Craft CMS to versions 4.17.3 or 5.9.7 or later, where the vulnerability is patched. Beyond upgrading, developers should avoid relying solely on strip_tags() for sanitizing URLs; instead, implement strict validation of URL schemes to allow only safe protocols such as https and http. Employ a whitelist approach for URL schemes and reject or encode any suspicious inputs. Use context-aware output encoding libraries to properly escape data rendered in HTML attributes, particularly href attributes, to prevent injection of executable code. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and untrusted sources. Conduct thorough code reviews and security testing focused on input validation and output encoding. Monitor web logs for suspicious URL patterns that may indicate attempted exploitation. Finally, educate developers about secure coding practices related to XSS and URL handling.