CVE-2026-27126
published 2026-02-24CVE-2026-27126: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS)…
PriorityP423medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.22%
12.1th percentile
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.5.0-RC1 < 4.16.19 | 4.16.19 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.23 | 5.8.23 |
| craftcms | craft_cms | < 4.16.19 | 4.16.19 |
| craftcms | craft_cms | < 5.8.23 | 5.8.23 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
osv·2026-02-23
CVE-2026-27126 [MEDIUM] Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
## Prerequisites
* An administrator account
* `allowAdminChanges` must be enabled in production, which is [against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce
1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**
1. Add a **Column Heading** and set **Column Type** to `Single-line text`
- **Note:** The vul
GHSA
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
ghsa·2026-02-23
CVE-2026-27126 [MEDIUM] CWE-79 Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
## Prerequisites
* An administrator account
* `allowAdminChanges` must be enabled in production, which is [against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce
1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**
1. Add a **Column Heading** and set **Column Type** to `Single-line text`
- **Note:** The vul
No detection rules found.
No public exploits indexed.
2026-02-24
Published