Impact
The vulnerability resides in Craft CMS’s editableTable.twig component when the 'Row Heading' column type is used. Input contained in row heading default values is not sanitized, allowing an attacker with a compromised or administrator account that has allowAdminChanges enabled to inject arbitrary JavaScript. When another visitor renders the affected page, the injected script runs in the visitor’s browser, potentially stealing session information, defacing the site, or performing other malicious actions in the user’s context. This is a classic stored XSS flaw (CWE‑79) affecting confidentiality, integrity, and availability of site content.
Affected Systems
Craft CMS versions 4.5.0‑beta.1 through 4.16.18 and 5.0.0‑RC1 through 5.8.22 are affected. The vendor is Craft CMS and the product is its core content management system. The flaw is present in all builds within these ranges until fixed in 4.16.19 and 5.8.23.
Risk and Exploitability
The CVSS score of 4.6 indicates moderate severity, but the attack requires administrator privileges with allowAdminChanges enabled, so it is not exploitable by unauthenticated users. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation. Nonetheless, any authenticated attacker who can modify table fields can embed malicious code that will execute for all users who view the page, making this a high‑impact risk in environments where attackers can gain admin access.
OpenCVE Enrichment