CVE-2026-56383

Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
https://www.vulncheck.com/advisories/craft-cms-stored-xss-in-table-field-via-row-heading-column-type
https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp

Configurations

No configuration.

History

23 Jun 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp -

21 Jun 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-21 14:16

Updated : 2026-06-23 15:16

NVD link : CVE-2026-56383

Mitre link : CVE-2026-56383

CVE.ORG link : CVE-2026-56383

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-56383", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-56383", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T14:00:40.463813Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "disclosure@vulncheck.com", "affectedData": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": "4.5.0-beta.1", "lessThan": "4.16.19", "versionType": "semver"}, {"status": "unaffected", "version": "4.16.19", "versionType": "semver"}, {"status": "affected", "version": "5.0.0-RC1", "lessThan": "5.8.23", "versionType": "semver"}, {"status": "unaffected", "version": "5.8.23", "versionType": "semver"}], "packageURL": "pkg:composer/craftcms/cms", "defaultStatus": "unaffected"}]}], "published": "2026-06-21T14:16:25.890", "references": [{"url": "https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/craft-cms-stored-xss-in-table-field-via-row-heading-column-type", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23."}], "lastModified": "2026-06-23T15:16:39.370", "sourceIdentifier": "disclosure@vulncheck.com"}