Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ntx4-ssgk-jqgh
Vulnerability ID VCID-ntx4-ssgk-jqgh
Aliases CVE-2026-27126
GHSA-3jh3-prx3-w6wc
Summary Craft CMS has Stored XSS in Table Field via "HTML" Column Type A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-27126
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-3jh3-prx3-w6wc
cvssv4 5.9 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 5.9 https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
generic_textual MODERATE https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
ssvc Track https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
cvssv3.1_qr MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
cvssv4 5.9 https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
cvssv4 5.9 https://nvd.nist.gov/vuln/detail/CVE-2026-27126
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-27126
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-27126
https://github.com/craftcms/cms
https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
CVE-2026-27126 https://nvd.nist.gov/vuln/detail/CVE-2026-27126
GHSA-3jh3-prx3-w6wc https://github.com/advisories/GHSA-3jh3-prx3-w6wc
GHSA-3jh3-prx3-w6wc https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/ Found at https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27126
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01801
EPSS Score 0.00012
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:06:46.343342+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/craftcms/cms/CVE-2026-27126.yml 38.6.0