Description
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
Published: 2026-06-21
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Craft CMS’s editableTable.twig component when the 'Row Heading' column type is used. Input contained in row heading default values is not sanitized, allowing an attacker with a compromised or administrator account that has allowAdminChanges enabled to inject arbitrary JavaScript. When another visitor renders the affected page, the injected script runs in the visitor’s browser, potentially stealing session information, defacing the site, or performing other malicious actions in the user’s context. This is a classic stored XSS flaw (CWE‑79) affecting confidentiality, integrity, and availability of site content.

Affected Systems

Craft CMS versions 4.5.0‑beta.1 through 4.16.18 and 5.0.0‑RC1 through 5.8.22 are affected. The vendor is Craft CMS and the product is its core content management system. The flaw is present in all builds within these ranges until fixed in 4.16.19 and 5.8.23.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, but the attack requires administrator privileges with allowAdminChanges enabled, so it is not exploitable by unauthenticated users. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. Nonetheless, any authenticated attacker who can modify table fields can embed malicious code that will execute for all users who view the page, making this a high‑impact risk in environments where attackers can gain admin access.

Generated by OpenCVE AI on June 21, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to at least 4.16.19 or 5.8.23, which contain the official fix.
  • After applying the patch, review all existing tables that use the 'Row Heading' column type and remove or sanitize any default values that are no longer needed.
  • Restrict or audit administrator accounts that have allowAdminChanges enabled, and consider disabling allowAdminChanges for all admins until a security review is completed.

Generated by OpenCVE AI on June 21, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
Title Craft CMS - Stored XSS in Table Field via Row Heading Column Type
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-79
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T14:19:43.199Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56383

cve-icon Vulnrichment

Updated: 2026-06-23T14:00:55.591Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')