CVE-2026-27126
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
描述
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. ## Prerequisites * An administrator account * `allowAdminChanges` must be enabled in production, which is [against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production). ## Steps to Reproduce 1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table** 1. Add a **Column Heading** and set **Column Type** to `Single-line text` - **Note:** The vulnerable **Column Type** is `html`, but it's not available in the UI dropdown. 1. In **Default Values** section, add a row with the following payload: ```html <img src=x onerror="alert('XSS')"> ``` 1. Enable `Static Rows` 1. Intercept the **Save Field** request using a proxy tool (e.g., Burp Suite) or use `cURL` directly 1. Modify the request body and change the `types[craft-fields-Table][columns][col3][type]` parameter from `singleline` to `html` 1. Forward the request to save the field 1. Use the field in any object (e.g. user profile fields) → then visit the any user's profile 1. Notice the XSS execution 1. The XSS will also trigger when an administrator attempts to edit this field, as the malicious payload is executed within the field configuration page, too. ## Resources https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
如何修補 CVE-2026-27126
要修補 CVE-2026-27126,請將受影響套件升級到下列已修補版本。
- —升級至 4.16.19 或更新版本
CVE-2026-27126 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 4.5.0-RC1, < 4.16.19