{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27126", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-24T02:30:04.882Z", "dateUpdated": "2026-02-24T19:35:38.348Z"}, "containers": {"cna": {"title": "Craft CMS has Stored XSS in Table Field via \"HTML\" Column Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc"}, {"name": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.5.0-RC1, < 4.16.19", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.8.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:30:04.882Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue."}], "source": {"advisory": "GHSA-3jh3-prx3-w6wc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T19:33:58.093384Z", "id": "CVE-2026-27126", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:35:38.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27126", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T19:33:58.093384Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:35:31.642Z"}}], "cna": {"title": "Craft CMS has Stored XSS in Table Field via \"HTML\" Column Type", "source": {"advisory": "GHSA-3jh3-prx3-w6wc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.5.0-RC1, < 4.16.19"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.23"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", "name": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:30:04.882Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27126", "state": "PUBLISHED", "dateUpdated": "2026-02-24T19:35:38.348Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T02:30:04.882Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF425F3E-1E6A-4EE8-A1F8-9FA5399DE8DD", "versionEndExcluding": "4.16.19", "versionStartExcluding": "4.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9572A70-5447-4861-9EC3-E51C5A7A9C56", "versionEndExcluding": "5.8.23", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "48EC469C-4A9C-40A5-AD71-386D47255223", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "25BADF46-CF5B-448C-BE38-D297D7512534", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). En las versiones 4.5.0-RC1 a 4.16.18 y 5.0.0-RC1 a 5.8.22, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en el componente 'editableTable.twig' al usar el tipo de columna 'html'. La aplicaci\u00f3n no sanitiza la entrada, permitiendo a un atacante ejecutar JavaScript arbitrario cuando otro usuario ve una p\u00e1gina con el campo de tabla malicioso. Para explotar la vulnerabilidad, un atacante debe tener una cuenta de administrador, y 'allowAdminChanges' debe estar habilitado en producci\u00f3n, lo cual va en contra de las recomendaciones de seguridad de Craft. Las versiones 4.16.19 y 5.8.23 parchean el problema."}], "id": "CVE-2026-27126", "lastModified": "2026-02-27T20:06:03.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T03:16:02.267", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0-RC1,4.16.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.23)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-17T15:54:16.417529+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to the latest patched release (4.16.19 or newer, or 5.8.23 or newer).", "Disable the allowAdminChanges setting in production to prevent administrators from modifying content in that mode.", "Review and remove any existing table fields that use the html column type; sanitize or delete content that may contain malicious scripts."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS via HTML column type in editableTable.twig"}, "threat_synthesis": {"affected_systems": "Affected products are Craft CMS (craftcms:cms). The flaw applies to all releases from 4.5.0\u2011RC1 up to 4.16.18 and from 5.0.0\u2011RC1 up to 5.8.22. Versions 4.16.19 and 5.8.23 contain the patch that sanitizes the html column type field and resolves the issue.", "description_and_impact": "Craft CMS versions 4.5.0\u2011RC1 through 4.16.18 and 5.0.0\u2011RC1 through 5.8.22 contain a stored cross\u2011site scripting vulnerability when an administrator uses the html column type in editable tables. The system does not sanitize input, allowing an attacker with an administrator account and with the allowAdminChanges setting enabled in production to inject arbitrary JavaScript. When another user views the page with the malicious table field the injected script runs in that user's browser, potentially leading to credential theft, session hijacking, and other client\u2011side compromises. The vulnerability is rated moderate with a CVSS score of 5.9 and is a typical stored XSS scenario.", "risk_and_exploitability": "The vulnerability requires the attacker to have an administrator account and to be able to modify content with allowAdminChanges enabled\u2014conditions that are contrary to Craft\u2019s security recommendations. The EPSS is less than 1%, indicating very low exploitation probability. The CVSS of 5.9 suggests a medium impact if exploited. Given the privileged setup needed, the overall risk is moderate, but patching or disabling admin changes is essential to mitigate any possibility of exploitation."}}}}, "created": "2026-02-24T09:53:20.817436+00:00", "updated": "2026-04-17T16:00:11.379865+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}