GHSA-6J87-M5QX-9FQP

Vulnerability from github – Published: 2026-02-25 19:11 – Updated: 2026-02-25 19:11
VLAI?
Summary
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
Details

A stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.

Prerequisites

Steps to Reproduce

  1. Navigate to SettingsFields and create a new field with Type: Table
  2. Add a Column Heading and set Column Type to Row Heading
  3. In Default Values section, add a row with the following payload: html <img src=x onerror="alert('XSS')">
  4. Enable Static Rows
  5. Use the field in any object (e.g., user profile fields) → then visit any user’s profile
  6. Notice the XSS execution

Resources

https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a

Severity ?
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.18"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0-beta.1"
            },
            {
              "fixed": "4.16.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.22"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T19:11:31Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.\n\n## Prerequisites\n* An administrator account\n* `allowAdminChanges` must be enabled in production, which is [against security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).\n\n## Steps to Reproduce\n1. Navigate to **Settings** \u2192 **Fields** and create a new field with Type: **Table**\n1. Add a **Column Heading** and set **Column Type** to `Row Heading`\n1. In **Default Values** section, add a row with the following payload:\n    ```html\n    \u003cimg src=x onerror=\"alert(\u0027XSS\u0027)\"\u003e\n    ```\n1. Enable `Static Rows`\n1. Use the field in any object (e.g., user profile fields) \u2192 then visit any user\u2019s profile\n1. Notice the XSS execution\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a",
  "id": "GHSA-6j87-m5qx-9fqp",
  "modified": "2026-02-25T19:11:31Z",
  "published": "2026-02-25T19:11:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a"
    },
    {
      "type": "WEB",
      "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.16.19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS has Stored XSS in Table Field in its \"Row Heading\" Column Type"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.