Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via HTML column type in editableTable.twig
Action: Immediate Patch
AI Analysis

Impact

Craft CMS versions 4.5.0‑RC1 through 4.16.18 and 5.0.0‑RC1 through 5.8.22 contain a stored cross‑site scripting vulnerability when an administrator uses the html column type in editable tables. The system does not sanitize input, allowing an attacker with an administrator account and with the allowAdminChanges setting enabled in production to inject arbitrary JavaScript. When another user views the page with the malicious table field the injected script runs in that user's browser, potentially leading to credential theft, session hijacking, and other client‑side compromises. The vulnerability is rated moderate with a CVSS score of 5.9 and is a typical stored XSS scenario.

Affected Systems

Affected products are Craft CMS (craftcms:cms). The flaw applies to all releases from 4.5.0‑RC1 up to 4.16.18 and from 5.0.0‑RC1 up to 5.8.22. Versions 4.16.19 and 5.8.23 contain the patch that sanitizes the html column type field and resolves the issue.

Risk and Exploitability

The vulnerability requires the attacker to have an administrator account and to be able to modify content with allowAdminChanges enabled—conditions that are contrary to Craft’s security recommendations. The EPSS is less than 1%, indicating very low exploitation probability. The CVSS of 5.9 suggests a medium impact if exploited. Given the privileged setup needed, the overall risk is moderate, but patching or disabling admin changes is essential to mitigate any possibility of exploitation.

Generated by OpenCVE AI on April 17, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to the latest patched release (4.16.19 or newer, or 5.8.23 or newer).
  • Disable the allowAdminChanges setting in production to prevent administrators from modifying content in that mode.
  • Review and remove any existing table fields that use the html column type; sanitize or delete content that may contain malicious scripts.

Generated by OpenCVE AI on April 17, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3jh3-prx3-w6wc Craft CMS has Stored XSS in Table Field via "HTML" Column Type
History

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
Title Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T19:35:38.348Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27126

cve-icon Vulnrichment

Updated: 2026-02-24T19:35:31.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:02.267

Modified: 2026-02-27T20:06:03.410

Link: CVE-2026-27126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses