StackPatch is liveSee product

Back to CVE digest
NVD · CVE-2026-56381

CVE-2026-56381

Published: Sun, 21 Jun 2026 14:16

CVE-2026-56381

Summary

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admi

Details

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

Are YOU affected by CVE-2026-56381?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-56381 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash
Form-based quickscan Read the bash source first

References

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.

Start free trial →See StackPatch →Live audit log →