Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and allowAdminChanges must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.5.0-RC1, < 4.16.19 | 4.16.19 |
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.23 | 5.8.23 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-3jh3-prx3-w6wcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27126ghsaADVISORY
- github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52bghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.