Stored Cross-Site Scripting in Craft CMS Editable Table Component
CVE-2026-56383

4.6MEDIUM

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-56383?

Craft CMS has a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component. When utilizing the 'Row Heading' column type, input values are not properly sanitized. This security lapse allows an attacker, assuming an administrator account with 'allowAdminChanges' enabled, to inject arbitrary JavaScript. The malicious script is executed whenever another user views the page containing the compromised table field. It is crucial to update to versions 4.16.19 or 5.8.23 to mitigate this risk.

Affected Version(s)

cms 4.5.0-beta.1 < 4.16.19

cms 5.0.0-RC1 < 5.8.23

cms 4.16.19

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

vendor-advisory

https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce...

patch

https://www.vulncheck.com/advisories/craft-cms-stored-xss...

third-party-advisory

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

mHe4am

CVE-2026-56383 Data

JSON