CVE-2026-27126 Overview
CVE-2026-27126 is a stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the editableTable.twig component when using the html column type. The application fails to properly sanitize input, allowing an attacker to inject and execute arbitrary JavaScript code when another user views a page containing the malicious table field.
Critical Impact
Successful exploitation enables persistent JavaScript execution in victim browsers, potentially leading to session hijacking, credential theft, defacement, or further attacks against CMS administrators and users.
Affected Products
- Craft CMS versions 4.5.0-RC1 through 4.16.18
- Craft CMS versions 5.0.0-RC1 through 5.8.22
Discovery Timeline
- 2026-02-24 - CVE-2026-27126 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2026-27126
Vulnerability Analysis
This stored XSS vulnerability stems from insufficient input sanitization in Craft CMS's editableTable.twig component. When table fields are configured to use the html column type, user-supplied content is rendered without proper encoding or sanitization, allowing malicious scripts to persist in the database and execute whenever the affected page is viewed.
The vulnerability requires attacker access to an administrator account and depends on the allowAdminChanges setting being enabled in production environments. While these prerequisites limit the attack surface, it's worth noting that enabling allowAdminChanges in production goes against Craft's own security recommendations.
Root Cause
The root cause is improper input validation (CWE-79) in the table field component. The editableTable.twig template renders HTML column content without adequate sanitization, failing to escape potentially dangerous characters and script tags. This allows stored malicious payloads to execute in the context of authenticated user sessions.
Attack Vector
The attack vector is network-based, requiring an authenticated attacker with administrator privileges to inject malicious JavaScript through the table field interface. The stored payload persists in the CMS database and executes automatically when other users (including other administrators) view pages containing the affected table field.
The exploitation flow involves:
- Attacker authenticates as an administrator
- Attacker creates or modifies a table field using the html column type
- Attacker injects malicious JavaScript payload into the field content
- Payload is stored in the database without proper sanitization
- When other users view the page, the malicious script executes in their browser context
*/
class Table extends Field
{
+ private static array $typeOptions;
+
/**
* @inheritdoc
*/
Source: GitHub Commit Update
The security patch introduces a $typeOptions array to ensure column types are validated against a supported range, preventing arbitrary HTML injection through unsanitized column type handling.
Detection Methods for CVE-2026-27126
Indicators of Compromise
- Unexpected JavaScript code or <script> tags stored in table field content within the Craft CMS database
- Anomalous network requests originating from the CMS control panel to external domains
- Unusual session activity or authentication events following administrator page views
- Modified table field configurations with suspicious HTML column content
Detection Strategies
- Review Craft CMS audit logs for table field modifications by administrator accounts
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Monitor for XSS patterns in database content, particularly within table field storage
- Deploy web application firewall (WAF) rules to detect XSS payloads in POST requests to the control panel
Monitoring Recommendations
- Enable detailed logging for all administrative actions within Craft CMS
- Configure alerts for modifications to table fields using the html column type
- Monitor browser console errors that may indicate blocked malicious script attempts
- Implement integrity monitoring for CMS configuration changes in production
How to Mitigate CVE-2026-27126
Immediate Actions Required
- Upgrade Craft CMS to version 4.16.19 or 5.8.23 immediately
- Disable allowAdminChanges in production environments as per Craft's security recommendations
- Audit existing table field content for suspicious HTML or JavaScript payloads
- Review administrator account access and rotate credentials if compromise is suspected
Patch Information
Craft CMS has released patched versions addressing this vulnerability. Users running affected versions should upgrade to 4.16.19 (for the 4.x branch) or 5.8.23 (for the 5.x branch). The patch validates column types against a supported range, preventing the injection of arbitrary HTML content. For detailed patch information, refer to the GitHub Security Advisory GHSA-3jh3-prx3-w6wc and the commit implementing the fix.
Workarounds
- Set allowAdminChanges to false in production configuration to prevent exploitation
- Restrict administrator account access to trusted personnel only
- Avoid using the html column type in table fields until patching is complete
- Implement Content Security Policy headers to mitigate potential script execution
# Craft CMS configuration example (config/general.php)
# Disable admin changes in production to mitigate vulnerability
return [
'production' => [
'allowAdminChanges' => false,
],
];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
