Craft CMS, a popular content management system, suffers from a stored Cross-site Scripting (XSS) vulnerability identified as CVE-2026-27126. This vulnerability affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The flaw resides in the editableTable.twig component when the html column type is used. Specifically, the application fails to properly sanitize or neutralize input before rendering it on web pages, allowing malicious JavaScript code to be stored and later executed in the browsers of users who view the affected table field. Exploitation requires the attacker to have an administrator-level account and the configuration setting allowAdminChanges enabled in production environments, which is contrary to Craft CMS’s security recommendations. This limits the attack surface but does not eliminate risk, especially in environments where these conditions are met. The vulnerability can lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim’s browser session. The vulnerability was assigned a CVSS 4.0 score of 5.9, indicating a medium severity level, with network attack vector, low attack complexity, partial privileges, and required user interaction. The issue was patched in versions 4.16.19 and 5.8.23, and no known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript code in the browsers of users who view the compromised table field, which can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. Since exploitation requires administrator privileges and a specific configuration setting enabled in production, the risk is somewhat mitigated but remains significant in environments that do not follow recommended security practices. Organizations using affected versions of Craft CMS with allowAdminChanges enabled in production are at risk of internal threats or compromised administrator accounts being leveraged to inject malicious scripts. This can undermine the confidentiality and integrity of data managed within the CMS and potentially affect the availability of services if further attacks are chained. The vulnerability could also damage organizational reputation if exploited to deface websites or distribute malware to site visitors.

1. Upgrade Craft CMS to version 4.16.19 or later, or 5.8.23 or later, where the vulnerability is patched. 2. Disable the allowAdminChanges setting in production environments as recommended by Craft CMS security guidelines to reduce the attack surface. 3. Enforce strict administrator account management, including strong authentication, least privilege principles, and regular auditing of admin activities. 4. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Regularly review and sanitize all user-generated content, especially when using components like editableTable.twig with html column types. 6. Monitor logs and CMS activity for unusual behavior indicative of attempted exploitation. 7. Educate administrators about the risks of enabling development features in production and the importance of applying security patches promptly.