Craft CMS 4.x/5.x XSS in editableTable.twig via Row Heading
CVE-2026-56383 Published on June 21, 2026
Craft CMS - Stored XSS in Table Field via Row Heading Column Type
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
Vulnerability Analysis
CVE-2026-56383 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-56383 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-56383
Want to know whenever a new CVE is published for Juzaweb Cms? stack.watch will email you.
Affected Versions
craftcms cms:- Version 4.5.0-beta.1 and below 4.16.19 is affected.
- Version 4.16.19 is unaffected.
- Version 5.0.0-RC1 and below 5.8.23 is affected.
- Version 5.8.23 is unaffected.