CVE-2026-33051 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Craft CMS, a popular content management system. The flaw exists in versions 5.9.0-beta.1 through 5.9.10 within the revision/draft context menu of the element editor. Specifically, the vulnerability stems from the use of Template::raw() combined with Craft::t() string interpolation, which causes the creator’s fullName to be rendered as raw HTML without proper input neutralization. A low-privileged user, such as an Author, can exploit this by setting their fullName field to a malicious XSS payload via the profile editor. After creating an entry and saving it twice, the crafted payload is stored and later executed when an administrator views the revision/draft context menu. Because the administrator’s session is elevated, the attacker’s script runs with high privileges, enabling privilege escalation to administrator level. This attack vector does not require user interaction from the administrator beyond having an active session and viewing the affected interface. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity. No known exploits in the wild have been reported as of the publication date. The issue was resolved in Craft CMS version 5.9.11 by properly sanitizing the fullName output to prevent raw HTML injection.

This vulnerability allows an attacker with low-level access (e.g., an Author role) to escalate privileges to administrator by exploiting an XSS flaw in the CMS interface. The impact includes unauthorized administrative control over the CMS, which can lead to full site compromise, data theft, content manipulation, and deployment of further malicious payloads. Organizations relying on Craft CMS for website management risk defacement, data breaches, and disruption of services. Since the attack requires an administrator to have an active session and view the affected UI, the scope is somewhat limited but still significant in environments with multiple users and roles. The ability to escalate privileges without administrator interaction beyond viewing the interface increases the risk of stealthy compromise. The medium CVSS score reflects a moderate risk but the potential for full administrative takeover elevates the criticality of timely remediation.

Organizations should immediately upgrade Craft CMS to version 5.9.11 or later, where the vulnerability is fixed. Until the upgrade can be performed, restrict the ability of low-privileged users to modify their fullName fields or limit access to the element editor’s revision/draft context menu. Implement strict input validation and output encoding on all user-supplied data, especially fields rendered in administrative interfaces. Monitor administrative sessions and audit logs for unusual activity that may indicate exploitation attempts. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the fullName field. Educate administrators to avoid leaving sessions open unnecessarily and to log out when not actively managing the CMS. Regularly review user roles and permissions to minimize the number of users with access to sensitive CMS features. Finally, conduct penetration testing focused on user input handling and privilege escalation vectors within the CMS environment.