CVE-2026-56383

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.5.0-beta.1 through 4.16.18 Craft CMS versions 5.0.0-RC1 through 5.8.22

Description A stored cross-site scripting (XSS) issue exists in the editableTable.twig component when utilizing the 'Row Heading' column type. The application does not properly sanitize input within row heading default values. This allows an attacker with an administrator account, provided that allowAdminChanges is enabled, to inject arbitrary JavaScript. The script executes when another user views a page containing the affected table field.

Recommendations Update to version 4.16.19 for versions in the 4.x branch. Update to version 5.8.23 for versions in the 5.x branch.