CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52772

mediumCVSS 5.5covered by 1 sourcefirst seen 2026-07-09
Bazar form-field templates still apply |raw('html') to field.label / field.hint in attribute and label-body contexts — stored XSS in form renders (sibling class of commit e6b66aa) CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation, "Cross-site Scripting") via CWE-116 (Improper Encoding or Escaping of Output) — same class as the partial fix at commit e6b66aa CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N → 4.7 (Medium) (Privileges Required = High because writing the field definitions requires saisie_formulaire, which tools/bazar/services/Guard.php:58-61 grants only to admins by default; Scope = Changed because the XSS payload set by a form-editor admin executes in the origin context of arbitrary viewers, including unauthenticated visitors.) Summary Commit e6b66aa ("fix(bazar): leave the twig escape placeholder as is", 2026-05-19) recognised that emitting field.label through Twig's raw('html') filter into an HTML attribute is unsafe — Twig's raw marker suppresses the attribute auto-escape, striptags removes <…> tags but not ", so a label containing " can break out of the attribute and inject event-handler attributes. The commit fixed tools/bazar/templates/inputs/text.twig:19 and tools/bazar/templates/inputs/textarea.twig:3. At least seven additional templates have the same pattern and were not touched by the fix: - tools/bazar/templates/inputs/range.twig:19 — placeholder="{{ field.label|raw('html')|striptags }}" - tools/bazar/templates/inputs/email.twig:13 — placeholder="{{ field.label|raw('html')|striptags }}" - tools/bazar/templates/layouts/input.twig:7 — title="{{ field.hint|raw('html') }}" alt="{{ field.hint|raw('html') }}" - tools/bazar/templates/inputs/textarea.twig:14 — same title=/alt= pattern (the commit only fixed line 3, line 14 remains) - tools/bazar/templates/inputs/user.twig:41, 55 — same - tools/bazar/templates/inputs/bookmarklet.twig:4 — same - tools/bazar/templates/layouts/input.twig:9, tools/bazar/templates/layou

⚡ Watch CVE-2026-52772

Get an email if CVE-2026-52772 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52772

CVE.org record

Embed the live status

CVE-2026-52772 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52772 status](https://www.csirts.com/badge/CVE-2026-52772)](https://www.csirts.com/cve/CVE-2026-52772)