Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Craft CMS Can Execute Malicious Code When Editing Tables
CVE-2026-27126
GHSA-3jh3-prx3-w6wc
Summary
A security issue in Craft CMS allows an attacker to run malicious code when editing tables, potentially stealing sensitive information or taking control of user accounts. To fix this, disable the 'allowAdminChanges' feature in production and ensure that only trusted administrators have access to the 'Settings' area. Users should also update to the latest version of Craft CMS to address this issue.
What to do
- Update craftcms cms to version 4.16.19.
- Update craftcms cms to version 5.8.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 4.5.0-RC1 , <= 4.16.18 | 4.16.19 |
| craftcms | cms | > 5.0.0-RC1 , <= 5.8.22 | 5.8.23 |
| craftcms | craft_cms | > 4.5.0 , <= 4.16.19 | – |
| craftcms | craft_cms | > 5.0.0 , <= 5.8.23 | – |
| craftcms | craft_cms | 4.5.0 | – |
| craftcms | craft_cms | 4.5.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
Original title
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Original description
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
## Prerequisites
* An administrator account
* `allowAdminChanges` must be enabled in production, which is [against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce
1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**
1. Add a **Column Heading** and set **Column Type** to `Single-line text`
- **Note:** The vulnerable **Column Type** is `html`, but it's not available in the UI dropdown.
1. In **Default Values** section, add a row with the following payload:
```html
<img src=x onerror="alert('XSS')">
```
1. Enable `Static Rows`
1. Intercept the **Save Field** request using a proxy tool (e.g., Burp Suite) or use `cURL` directly
1. Modify the request body and change the `types[craft-fields-Table][columns][col3][type]` parameter from `singleline` to `html`
1. Forward the request to save the field
1. Use the field in any object (e.g. user profile fields) → then visit the any user's profile
1. Notice the XSS execution
1. The XSS will also trigger when an administrator attempts to edit this field, as the malicious payload is executed within the field configuration page, too.
## Resources
https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
## Prerequisites
* An administrator account
* `allowAdminChanges` must be enabled in production, which is [against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce
1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**
1. Add a **Column Heading** and set **Column Type** to `Single-line text`
- **Note:** The vulnerable **Column Type** is `html`, but it's not available in the UI dropdown.
1. In **Default Values** section, add a row with the following payload:
```html
<img src=x onerror="alert('XSS')">
```
1. Enable `Static Rows`
1. Intercept the **Save Field** request using a proxy tool (e.g., Burp Suite) or use `cURL` directly
1. Modify the request body and change the `types[craft-fields-Table][columns][col3][type]` parameter from `singleline` to `html`
1. Forward the request to save the field
1. Use the field in any object (e.g. user profile fields) → then visit the any user's profile
1. Notice the XSS execution
1. The XSS will also trigger when an administrator attempts to edit this field, as the malicious payload is executed within the field configuration page, too.
## Resources
https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
nvd CVSS3.1
4.8
nvd CVSS4.0
5.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026