VulnerableCode Package Details - pkg:composer/craftcms/cms@4.5.0-RC1

Search for packages

Vulnerability	Summary	Fixed by
VCID-39ct-cg7w-kyb6 Aliases: CVE-2026-27126 GHSA-3jh3-prx3-w6wc	Craft CMS has Stored XSS in Table Field via "HTML" Column Type A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.	4.16.19 Affected by 0 other vulnerabilities. 5.8.23 Affected by 0 other vulnerabilities.
VCID-a3b5-pwyh-yugv Aliases: CVE-2026-27128 GHSA-6fx5-5cw5-4897	Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.	4.16.19 Affected by 0 other vulnerabilities. 5.8.23 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-39ct-cg7w-kyb6
Aliases:
CVE-2026-27126
GHSA-3jh3-prx3-w6wc

Craft CMS has Stored XSS in Table Field via "HTML" Column Type A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.

4.16.19
Affected by 0 other vulnerabilities.

5.8.23
Affected by 0 other vulnerabilities.

VCID-a3b5-pwyh-yugv
Aliases:
CVE-2026-27128
GHSA-6fx5-5cw5-4897

Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.

4.16.19
Affected by 0 other vulnerabilities.

5.8.23
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:50:20.434520+00:00	GitLab Importer	Affected by	VCID-39ct-cg7w-kyb6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-27126.yml	38.6.0
2026-06-02T04:50:20.294276+00:00	GitLab Importer	Affected by	VCID-a3b5-pwyh-yugv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-27128.yml	38.6.0

2026-06-02T04:50:20.434520+00:00

GitLab Importer

Affected by

VCID-39ct-cg7w-kyb6

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-27126.yml

38.6.0

2026-06-02T04:50:20.294276+00:00

GitLab Importer

Affected by

VCID-a3b5-pwyh-yugv

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-27128.yml

38.6.0

Next non-vulnerable version	4.5.11
Latest non-vulnerable version	5.9.9
Risk