PT-2026-23900 · Packagist · Craftcms/Cms
Published
2026-02-25
·
Updated
2026-02-25
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
A stored Cross-site Scripting (XSS) vulnerability exists in the
editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.Prerequisites
- An administrator account
allowAdminChangesmust be enabled in production, which is against security recommendations.
Steps to Reproduce
- Navigate to Settings → Fields and create a new field with Type: Table
- Add a Column Heading and set Column Type to
Row Heading - In Default Values section, add a row with the following payload:
html
<img src=x onerror="alert('XSS')">- Enable
Static Rows - Use the field in any object (e.g., user profile fields) → then visit any user’s profile
- Notice the XSS execution
Resources
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craftcms/Cms