CVE-2026-27126

Name of the Vulnerable Software and Affected Versions Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22

Description Craft is a content management system (CMS) that contains a stored Cross-site Scripting (XSS) issue within the editableTable.twig component when utilizing the html column type. The application does not properly sanitize input, which allows an attacker to execute arbitrary JavaScript when another user views a page containing the malicious table field. To exploit this, an attacker requires an administrator account and allowAdminChanges must be enabled in production. The vulnerable component is the editableTable.twig component, specifically when using the html column type. The vulnerable parameter is types[craft-fields-Table][columns][col3][type].

Recommendations Craft versions 4.5.0-RC1 through 4.16.18: Upgrade to version 4.16.19 or later. Craft versions 5.0.0-RC1 through 5.8.22: Upgrade to version 5.8.23 or later.