Skip to content

Stored XSS in Table Field via "Row Heading" Column Type

Low
angrybrad published GHSA-6j87-m5qx-9fqp Feb 23, 2026

Package

composer craftcms/cms (Composer)

Affected versions

>= 4.5.0-beta.1, <= 4.16.18
>= 5.0.0-RC1, <= 5.8.22

Patched versions

4.16.19
5.8.23

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.

Prerequisites

Steps to Reproduce

  1. Navigate to SettingsFields and create a new field with Type: Table
  2. Add a Column Heading and set Column Type to Row Heading
  3. In Default Values section, add a row with the following payload: 
    <img src=x onerror="alert('XSS')">
  4. Enable Static Rows
  5. Use the field in any object (e.g., user profile fields) → then visit any user’s profile
  6. Notice the XSS execution

References

7b372de

Severity

Low

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits