CVE-2026-27126 is a stored Cross-site Scripting (XSS) vulnerability identified in the Craft CMS, a popular content management system used for building websites. The vulnerability affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. It resides specifically in the editableTable.twig component when the html column type is used. The root cause is improper neutralization of input during web page generation, where user-supplied HTML content is not adequately sanitized before rendering. This allows an attacker with an administrator account to inject arbitrary JavaScript code into the table fields. When other users view pages containing the malicious table, the injected script executes in their browsers, potentially leading to session hijacking, credential theft, or other malicious actions. Exploitation requires that the allowAdminChanges configuration be enabled in production environments, which is contrary to Craft CMS security guidelines. The vulnerability has been assigned a CVSS 4.0 base score of 5.9, reflecting medium severity, with attack vector being network, low attack complexity, partial privileges required (administrator), and user interaction needed (viewing the malicious page). The vulnerability was publicly disclosed on February 24, 2026, and patched in versions 4.16.19 and 5.8.23. There are no known exploits in the wild at this time.

The impact of CVE-2026-27126 is primarily on the confidentiality and integrity of user sessions and data within affected Craft CMS installations. Successful exploitation allows an attacker with administrator access to inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, unauthorized actions, or data theft. Although exploitation requires administrator privileges and a non-default insecure configuration (allowAdminChanges enabled in production), organizations running vulnerable versions with this setting enabled face significant risk. The vulnerability could be leveraged to compromise user accounts, deface websites, or pivot to further internal attacks. Given Craft CMS’s use in various industries for website management, the threat could affect organizations relying on this CMS for public-facing or internal portals, especially if administrators are not following recommended security practices. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks or future exploit development.

To mitigate CVE-2026-27126, organizations should immediately upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later, where the vulnerability is patched. Administrators must ensure that the allowAdminChanges setting is disabled in production environments, adhering strictly to Craft CMS security recommendations. Review and sanitize all inputs, especially those involving the editableTable.twig component and html column types, to prevent injection of malicious content. Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Conduct regular security audits and penetration testing focused on CMS components to detect similar issues. Limit administrator account usage and enforce strong authentication controls to reduce the risk of privilege abuse. Monitor logs for unusual administrative activity or unexpected changes to table fields. Finally, educate administrators about secure configuration practices and the risks of enabling development features in production.