CVE-2026-25496

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513	Patch
https://github.com/craftcms/cms/releases/tag/5.8.22	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78	Exploit Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

No history.

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:17

NVD link : CVE-2026-25496

Mitre link : CVE-2026-25496

CVE.ORG link : CVE-2026-25496

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-25496", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-09T20:15:58.223", "references": [{"url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "tags": ["Exploit", "Vendor Advisory", "Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22."}, {"lang": "es", "value": "Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, existe una vulnerabilidad de XSS almacenado en la configuraci\u00f3n del tipo de campo N\u00famero. Los campos Prefijo y Sufijo se renderizan utilizando el filtro Twig |md|raw sin el escape adecuado, lo que permite la ejecuci\u00f3n de scripts cuando el campo N\u00famero se muestra en los perfiles de los usuarios. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."}], "lastModified": "2026-02-19T19:17:02.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29EBFBEA-6CFF-49DD-BEE0-3E65E89DEA2E", "versionEndExcluding": "4.16.18", "versionStartExcluding": "4.0.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1C69442-81E7-4695-B09C-E7811765D283", "versionEndExcluding": "5.8.22", "versionStartExcluding": "5.0.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}