[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

PKSA-t9v1-2frg-d2wy CVE-2026-31859 GHSA-fvwq-45qv-xvhv

Affected package: craftcms/cms

Affected version: >=5.7.5,<=5.9.6|>=4.15.3,<=4.17.2

Reported by:
GitHub