Craft CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-27126 - Vulnerability Database

Craft CMS

Craft CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-27126

Medium

Reference: CVE-2026-27126

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-27126

Title: Craft CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 a stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability an attacker must have an administrator account and allowAdminChanges must be enabled in production which is against Craft39s security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.