CVE-2026-27126 MEDIUM

CVE-2026-27126: Craft CMS has Stored XSS in Table Field via "HTML" Column Type

Vendor Craftcms
Product cms
Weakness CWE-79 · XSS
Published February 24, 2026
Last update February 24, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
February 24, 2026 Record updated