CVE-2026-3327

Vulnerability

Description CVE-2026-3327 is an authenticated iframe injection vulnerability in the Dato CMS Web Previews plugin. The plugin allows authenticated users to preview frontend content via an embedded iframe, but the initial path parameter (passed via URL query string or the user's configured initial path) was not properly sanitized before being used as the iframe source. This oversight permits a malicious authenticated user to supply an arbitrary external URL, bypassing the intended restriction that the iframe should only load the configured frontend URL.

Exploitation

An attacker who has authenticated access to the Dato CMS Web Previews plugin can manipulate the path query parameter in the iframe state initialization. The vulnerable code directly passed the user-supplied path to the iframe without validation, allowing the loading of any external origin. The attack requires no additional privileges beyond being an authenticated user of the Web Previews plugin, making it a low-complexity exploit within the trusted user boundary.

Impact

By injecting an arbitrary external resource into the iframe, an attacker could perform content spoofing, potentially tricking other authenticated users into interacting with a malicious site. Additionally, if the injected resource executes scripts, it could lead to cross-origin information disclosure or session token theft within the context of the Dato CMS dashboard. The vulnerability is rated Medium severity due to the requirement of authentication and the potential for partial compromise of administrative interface security.

Mitigation

The issue has been addressed in Web Previews v1.0.31 by introducing the normalizePathForVisualEditing function, which sanitizes the path parameter against allowed origins and falls back to a safe default. All users are urged to upgrade to the latest version. No known workarounds exist beyond restricting authenticated access to trusted users [1].