diff --git a/assets/js-templates/spa-components.php b/assets/js-templates/spa-components.php
index 24b66f7..eec982a 100644
--- a/assets/js-templates/spa-components.php
+++ b/assets/js-templates/spa-components.php
@@ -77,7 +77,7 @@
                         <th scope="row" class="check-column">
                             <input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
                         </th>
-                        <td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
+                        <td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
                         <th class="col-entry-details">
                             <template v-if="status == 'trash'">
                                 <a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
@@ -96,7 +96,7 @@
                     <th scope="row" class="check-column">
                         <input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
                     </th>
-                    <td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
+                    <td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
                     <th class="col-entry-details">
                         <template v-if="status == 'trash'">
                             <a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
@@ -425,7 +425,8 @@
                                             </div>
                                             <div v-else-if="field.type === 'country_list_field'">{{ getCountryName( field.value ) }}</div>
                                             <div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
-                                            <div v-else v-html="field.value"></div>
+                                            <div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
+                                            <div v-else>{{ field.value }}</div>
                                         </td>
                                     </tr>
                                 </template>
diff --git a/assets/spa/components/form-entry-single/template.php b/assets/spa/components/form-entry-single/template.php
index 03c621a..4d4e5f6 100644
--- a/assets/spa/components/form-entry-single/template.php
+++ b/assets/spa/components/form-entry-single/template.php
@@ -40,7 +40,8 @@
                                             </div>
                                             <div v-else-if="field.type === 'country_list_field'">{{ getCountryName( field.value ) }}</div>
                                             <div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
-                                            <div v-else v-html="field.value"></div>
+                                            <div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
+                                            <div v-else>{{ field.value }}</div>
                                         </td>
                                     </tr>
                                 </template>
diff --git a/includes/fields/class-abstract-fields.php b/includes/fields/class-abstract-fields.php
index ef6ffd6..ae42228 100644
--- a/includes/fields/class-abstract-fields.php
+++ b/includes/fields/class-abstract-fields.php
@@ -545,7 +545,7 @@ public function prepare_entry( $field, $args = [] ) {
         if ( is_array( $value ) ) {
             $entry_value = implode( WeForms::$field_separator, $args[$field['name']] );
         } else {
-            $entry_value = trim( $value  );
+            $entry_value = sanitize_textarea_field( trim( $value ) );
         }
 
         return $entry_value;
diff --git a/package.json b/package.json
index b067070..eed7df9 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "weForms",
   "author": "BoldGrid",
-  "version": "1.6.27",
+  "version": "1.6.28",
   "license": "GPL-2.0",
   "repository": {
     "type": "git",
diff --git a/readme.txt b/readme.txt
index a95b0d1..3b356ee 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Tags: form builder, contact form, forms, form creator, custom form
 Requires at least: 5.0
 Requires PHP: 7.2.5
 Tested up to: 6.9
-Stable tag: 1.6.27
+Stable tag: 1.6.28
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -240,6 +240,12 @@ Please report security bugs found in the source code of the undefined plugin thr
 
 == Changelog ==
 
+= Version 1.6.28 ( 27 February, 2026 ) =
+* Security: Patched stored XSS vulnerability in form entry fields.
+
+= Version 1.6.27 ( 09 February, 2026 ) =
+* Security: Patched object injection vulnerability.
+
 = Version 1.6.26 ( 17 December, 2025 ) =
 * Fix: Added extra validation for form uploads.
 
diff --git a/weforms.php b/weforms.php
index cf5eb81..dde519b 100644
--- a/weforms.php
+++ b/weforms.php
@@ -5,7 +5,7 @@
  * Plugin URI: https://weformspro.com/
  * Author: weForms
  * Author URI: https://weformspro.com/
- * Version: 1.6.27
+ * Version: 1.6.28
  * License: GPL2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: weforms
@@ -55,7 +55,7 @@ final class WeForms {
      *
      * @var string
      */
-    public $version = '1.6.27';
+    public $version = '1.6.28';
 
     /**
      * Form field value seperator