{"id":"CVE-2026-31859","summary":"Craft has Reflective XSS via incomplete return URL sanitization","details":"Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in  5.9.7 and 4.17.3.","aliases":["GHSA-fvwq-45qv-xvhv"],"modified":"2026-04-02T13:24:02.694083Z","published":"2026-03-11T17:37:19.065Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31859.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-116","CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31859.json"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31859"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"7ad3a61e84c0266d24e34d8ce3ebd13154d60b92"},{"fixed":"17bf79c1dbc249b6c79d585eba1414838dc43521"}],"database_specific":{"versions":[{"introduced":"4.15.3"},{"fixed":"4.17.3"}]}},{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"679b82edce8c60ce1008dc70740bf2610adac57d"},{"fixed":"9986382fbf26ed5cd46926ecd84084bf1b564680"}],"database_specific":{"versions":[{"introduced":"5.7.5"},{"fixed":"5.9.7"}]}}],"versions":["4.15.3","4.15.4","4.15.5","4.15.6","4.15.6.1","4.15.6.2","4.15.7","4.16.0","4.16.1","4.16.10","4.16.11","4.16.12","4.16.13","4.16.14","4.16.15","4.16.16","4.16.17","4.16.18","4.16.19","4.16.2","4.16.3","4.16.4","4.16.5","4.16.6","4.16.6.1","4.16.7","4.16.8","4.16.9","4.16.9.1","4.17.0","4.17.0-beta.1","4.17.0-beta.2","4.17.1","4.17.2","5.7.10","5.7.11","5.7.5","5.7.6","5.7.7","5.7.8","5.7.8.1","5.7.8.2","5.7.9","5.8.0","5.8.1","5.8.10","5.8.11","5.8.12","5.8.13","5.8.13.1","5.8.13.2","5.8.14","5.8.15","5.8.16","5.8.17","5.8.18","5.8.19","5.8.2","5.8.20","5.8.21","5.8.22","5.8.23","5.8.3","5.8.4","5.8.5","5.8.6","5.8.7","5.8.8","5.8.9","5.9.0","5.9.0-beta.1","5.9.0-beta.2","5.9.1","5.9.2","5.9.3","5.9.4","5.9.5","5.9.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31859.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}