Executive Summary

CVE-2026-56383 is a stored cross-site scripting (XSS) vulnerability in Craft CMS affecting the editableTable.twig component when using the 'Row Heading' column type in Table fields.

The application fails to properly sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript code.

This malicious JavaScript executes when another user views a page containing the affected table field, potentially leading to unauthorized actions or data theft.

The vulnerability affects Craft CMS versions 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 and was fixed in versions 4.16.19 and 5.8.23.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with administrator privileges and the allowAdminChanges setting enabled to inject malicious JavaScript into row heading default values.

When other users view pages containing the affected table field, the injected script executes, which can lead to unauthorized actions or theft of sensitive data.

Because the attack requires high privileges, it is less likely to be exploited in environments where administrator access is tightly controlled.

However, if exploited, it can compromise user sessions, lead to data leakage, or perform actions on behalf of the victim user.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the editableTable.twig component of Craft CMS when using the 'Row Heading' column type. Detection involves identifying if your Craft CMS installation is within the affected versions and if any Table fields use the 'Row Heading' column type with potentially malicious default values.

Since the vulnerability requires an administrator account with allowAdminChanges enabled to inject malicious JavaScript, detection can include reviewing administrator-created Table fields for suspicious or unexpected JavaScript payloads in row heading default values.

There are no specific commands provided in the resources to detect this vulnerability on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Craft CMS to a fixed version: 4.16.19 or later in the 4.x series, or 5.8.23 or later in the 5.x series.

Additionally, it is recommended to disable the allowAdminChanges setting in production environments to prevent attackers with administrator privileges from injecting malicious scripts.

Review and sanitize any existing Table fields using the 'Row Heading' column type to remove any malicious JavaScript payloads in default values.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a stored cross-site scripting (XSS) issue that allows an attacker with administrator privileges to inject malicious JavaScript, which executes when other users view affected content.

Such XSS vulnerabilities can potentially lead to unauthorized actions or data theft, which may impact the confidentiality and integrity of user data.

Because regulations like GDPR and HIPAA require protection of personal data and prevention of unauthorized access or disclosure, this vulnerability could pose compliance risks if exploited, especially in environments handling sensitive or personal information.

However, exploitation requires an administrator account with the allowAdminChanges setting enabled, which is not recommended for production environments, somewhat limiting the risk.

Useful 0 Not Useful 0