CVE-2026-27126
Received Received - Intake
Stored XSS in Craft CMS editableTable.twig Allows Admin JavaScript Execution

Publication date: 2026-02-24

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27126
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 5.0.0 (exc) to 5.8.23 (exc)
craftcms craft_cms 4.5.0
craftcms craft_cms 4.5.0
craftcms craft_cms From 4.5.0 (exc) to 4.16.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27126 is a stored Cross-Site Scripting (XSS) vulnerability in the Craft CMS platform, specifically in the editableTable.twig component when using the "html" column type in table fields.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application fails to properly sanitize input in this context, allowing an attacker to inject arbitrary JavaScript code.'}, {'type': 'paragraph', 'content': 'This malicious code executes when another user views a page containing the affected table field.'}, {'type': 'paragraph', 'content': "Exploitation requires the attacker to have an administrator account and the allowAdminChanges setting enabled in production, which is against Craft's security recommendations."}, {'type': 'paragraph', 'content': 'The "html" column type is not normally available via the UI but can be exploited by intercepting and modifying the save field request to change a column type to "html".'}] [1]

Impact Analysis

This vulnerability allows an attacker with administrator access to inject and execute arbitrary JavaScript code within the CMS.

When other users view pages containing the malicious table field, the injected script runs in their browsers, potentially leading to session hijacking, data theft, or other malicious actions.

Because exploitation requires administrator privileges and a specific configuration (allowAdminChanges enabled in production), the risk is somewhat limited but still significant if those conditions are met.

The vulnerability can compromise the integrity and security of the CMS environment and its users.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft CMS installation uses affected versions (4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22) and if the editableTable.twig component contains table fields with the "html" column type.'}, {'type': 'paragraph', 'content': 'Since the "html" column type is not available via the UI dropdown, detection involves intercepting and inspecting save field requests to see if the parameter `types[craft-fields-Table][columns][col3][type]` or similar is set to "html".'}, {'type': 'paragraph', 'content': 'You can use proxy tools like Burp Suite or command-line tools like cURL to capture and analyze these requests.'}, {'type': 'list_item', 'content': 'Use Burp Suite or a similar proxy to intercept HTTP requests when saving table fields in Craft CMS and check for the presence of the "html" column type in the request payload.'}, {'type': 'list_item', 'content': 'Run a command like the following to fetch the field configuration and search for the "html" column type (replace URL and authentication as needed):'}, {'type': 'list_item', 'content': 'curl -X GET "https://your-craftcms-site/api/fields" -H "Authorization: Bearer <token>" | grep \'"type":"html"\''}, {'type': 'paragraph', 'content': 'Note that detection requires access to administrative API endpoints or the ability to intercept admin requests, as exploitation requires an administrator account.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation steps are to upgrade Craft CMS to a patched version where this vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Upgrade to Craft CMS version 4.16.19 or later if you are on the 4.x branch.'}, {'type': 'list_item', 'content': 'Upgrade to Craft CMS version 5.8.23 or later if you are on the 5.x branch.'}, {'type': 'paragraph', 'content': "Additionally, ensure that the `allowAdminChanges` setting is disabled in production environments, as enabling it is against Craft's security recommendations and is required for exploitation."}, {'type': 'paragraph', 'content': 'The patch removes support for the unsafe "html" column type and enforces strict validation of allowed column types, preventing this attack vector.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart