Headline
GHSA-jp3q-wwp3-pwv9: Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue
Summary
An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.
Affected Product
- Ecosystem: Packagist (Craft CMS plugin)
- Package: solspace/craft-freeform
- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.
Details
- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using
dangerouslySetInnerHTMLwithout sanitization. - Evidence:
dangerouslySetInnerHTMLon user-controlled properties in bundled CP JS at packages/plugin/src/Resources/js/client/client.js.
PoCs
- Label-based XSS:
- In Craft CP, create/edit a Freeform field and set its label to
<img src=x onerror="alert('xss-label')">. - Open the form builder view containing the field.
- Alert executes (stored XSS).
- In Craft CP, create/edit a Freeform field and set its label to
- Integration icon SVG:
- Set an integration “icon SVG” to
<svg><script>alert('xss-icon')</script></svg>. - Open the integrations CP view.
- Script executes.
- Set an integration “icon SVG” to
Impact Arbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.
Remediation
- Sanitize/HTML-encode all user-controlled strings before passing to
dangerouslySetInnerHTML, or avoid it for labels/titles/icons. - Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.
- Add regression tests with
<img onerror>payloads to ensure no execution in builder/integration views.
Workarounds
- Restrict form-edit permissions to trusted admins only until patched.
- Consider CSP that disallows inline scripts (defense-in-depth only).
Credits
- Discovered by https://www.linkedin.com/in/praveenkavinda/ | Prav33N-Sec.
Disclosure / CVE Request
- Request CVE for this confirmed stored XSS.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-jp3q-wwp3-pwv9
Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue
Low severity GitHub Reviewed Published Jan 22, 2026 in solspace/craft-freeform • Updated Jan 22, 2026
Package
composer solspace/craft-freeform (Composer)
Affected versions
<= 5.14.6
Summary
An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.
Affected Product
- Ecosystem: Packagist (Craft CMS plugin)
- Package: solspace/craft-freeform
- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.
Details
- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using dangerouslySetInnerHTML without sanitization.
- Evidence: dangerouslySetInnerHTML on user-controlled properties in bundled CP JS at packages/plugin/src/Resources/js/client/client.js.
PoCs
- Label-based XSS:
- In Craft CP, create/edit a Freeform field and set its label to <img src=x onerror="alert(‘xss-label’)">.
- Open the form builder view containing the field.
- Alert executes (stored XSS).
- Integration icon SVG:
- Set an integration “icon SVG” to <svg><script>alert(‘xss-icon’)</script></svg>.
- Open the integrations CP view.
- Script executes.
Impact
Arbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.
Remediation
- Sanitize/HTML-encode all user-controlled strings before passing to dangerouslySetInnerHTML, or avoid it for labels/titles/icons.
- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.
- Add regression tests with <img onerror> payloads to ensure no execution in builder/integration views.
Workarounds
- Restrict form-edit permissions to trusted admins only until patched.
- Consider CSP that disallows inline scripts (defense-in-depth only).
Credits
- Discovered by https://www.linkedin.com/in/praveenkavinda/ | Prav33N-Sec.
Disclosure / CVE Request
- Request CVE for this confirmed stored XSS.
References
- GHSA-jp3q-wwp3-pwv9
Published to the GitHub Advisory Database
Jan 22, 2026
Last updated
Jan 22, 2026