CVE-2026-27126: Craft CMS has Stored XSS in Table Field via "HTML" Column Type

February 23, 2026

A stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.

References

github.com/advisories/GHSA-3jh3-prx3-w6wc
github.com/craftcms/cms
github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
nvd.nist.gov/vuln/detail/CVE-2026-27126

Code Behaviors & Features

Detect and mitigate CVE-2026-27126 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →