Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Craft CMS Stored XSS in Table Field Header
GHSA-6j87-m5qx-9fqp
Summary
A vulnerability in Craft CMS allows an attacker to inject malicious code into table headers, which can be executed when another user views the table. To fix this, ensure that 'allowAdminChanges' is disabled in production and use the 'Static Rows' feature. Update to the latest version of Craft CMS to prevent exploitation.
What to do
- Update craftcms cms to version 4.16.19.
- Update craftcms cms to version 5.8.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 4.5.0-beta.1 , <= 4.16.18 | 4.16.19 |
| craftcms | cms | > 5.0.0-RC1 , <= 5.8.22 | 5.8.23 |
Original title
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
Original description
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
## Prerequisites
* An administrator account
* `allowAdminChanges` must be enabled in production, which is [against security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce
1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**
1. Add a **Column Heading** and set **Column Type** to `Row Heading`
1. In **Default Values** section, add a row with the following payload:
```html
<img src=x onerror="alert('XSS')">
```
1. Enable `Static Rows`
1. Use the field in any object (e.g., user profile fields) → then visit any user’s profile
1. Notice the XSS execution
## Resources
https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
## Prerequisites
* An administrator account
* `allowAdminChanges` must be enabled in production, which is [against security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce
1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**
1. Add a **Column Heading** and set **Column Type** to `Row Heading`
1. In **Default Values** section, add a row with the following payload:
```html
<img src=x onerror="alert('XSS')">
```
1. Enable `Static Rows`
1. Use the field in any object (e.g., user profile fields) → then visit any user’s profile
1. Notice the XSS execution
## Resources
https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
ghsa CVSS4.0
2.3
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
- https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
- https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-fals...
- https://github.com/craftcms/cms/releases/tag/4.16.19
- https://github.com/craftcms/cms/releases/tag/5.8.23
- https://github.com/advisories/GHSA-6j87-m5qx-9fqp
Published: 25 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026