CVE-2026-25496 (GCVE-0-2026-25496)
Vulnerability from cvelistv5 – Published: 2026-02-09 19:45 – Updated: 2026-02-10 16:00
VLAI?
Title
Craft has a stored XSS in Number Prefix & Suffix Fields
Summary
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:30:19.770435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:00:13.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.22"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users\u0027 profiles. This issue is patched in versions 4.16.18 and 5.8.22."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T19:45:19.835Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"
},
{
"name": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"
},
{
"name": "https://github.com/craftcms/cms/releases/tag/5.8.22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
}
],
"source": {
"advisory": "GHSA-9f5h-mmq6-2x78",
"discovery": "UNKNOWN"
},
"title": "Craft has a stored XSS in Number Prefix \u0026 Suffix Fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25496",
"datePublished": "2026-02-09T19:45:19.835Z",
"dateReserved": "2026-02-02T16:31:35.824Z",
"dateUpdated": "2026-02-10T16:00:13.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25496\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-09T20:15:58.223\",\"lastModified\":\"2026-02-19T19:17:02.927\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users\u0027 profiles. This issue is patched in versions 4.16.18 and 5.8.22.\"},{\"lang\":\"es\",\"value\":\"Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, existe una vulnerabilidad de XSS almacenado en la configuraci\u00f3n del tipo de campo N\u00famero. Los campos Prefijo y Sufijo se renderizan utilizando el filtro Twig |md|raw sin el escape adecuado, lo que permite la ejecuci\u00f3n de scripts cuando el campo N\u00famero se muestra en los perfiles de los usuarios. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"4.0.0\",\"versionEndExcluding\":\"4.16.18\",\"matchCriteriaId\":\"29EBFBEA-6CFF-49DD-BEE0-3E65E89DEA2E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"5.0.0\",\"versionEndExcluding\":\"5.8.22\",\"matchCriteriaId\":\"E1C69442-81E7-4695-B09C-E7811765D283\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"610F6DE9-720F-45B3-81D5-18E7F6B090FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC2F40FC-7C27-456A-B16D-679410D1D5CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FBAA8227-04F8-404C-907B-B0162B325F5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"21B28E2C-327A-4CE6-ACAD-97E459712A55\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C7461CF-35AB-48E1-88B6-956DAE1D2AB4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D8E02D1-601A-4E2B-B619-4775BFDB72D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/cms/releases/tag/5.8.22\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Patch\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25496\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-10T15:30:19.770435Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-10T15:30:20.434Z\"}}], \"cna\": {\"title\": \"Craft has a stored XSS in Number Prefix \u0026 Suffix Fields\", \"source\": {\"advisory\": \"GHSA-9f5h-mmq6-2x78\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0-RC1, \u003c 5.8.22\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-RC1, \u003c 4.16.18\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78\", \"name\": \"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513\", \"name\": \"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/cms/releases/tag/5.8.22\", \"name\": \"https://github.com/craftcms/cms/releases/tag/5.8.22\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users\u0027 profiles. This issue is patched in versions 4.16.18 and 5.8.22.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-09T19:45:19.835Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25496\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-10T16:00:13.566Z\", \"dateReserved\": \"2026-02-02T16:31:35.824Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-09T19:45:19.835Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-25496
Vulnerability from fkie_nvd - Published: 2026-02-09 20:15 - Updated: 2026-02-19 19:17
Severity ?
Summary
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29EBFBEA-6CFF-49DD-BEE0-3E65E89DEA2E",
"versionEndExcluding": "4.16.18",
"versionStartExcluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1C69442-81E7-4695-B09C-E7811765D283",
"versionEndExcluding": "5.8.22",
"versionStartExcluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users\u0027 profiles. This issue is patched in versions 4.16.18 and 5.8.22."
},
{
"lang": "es",
"value": "Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, existe una vulnerabilidad de XSS almacenado en la configuraci\u00f3n del tipo de campo N\u00famero. Los campos Prefijo y Sufijo se renderizan utilizando el filtro Twig |md|raw sin el escape adecuado, lo que permite la ejecuci\u00f3n de scripts cuando el campo N\u00famero se muestra en los perfiles de los usuarios. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."
}
],
"id": "CVE-2026-25496",
"lastModified": "2026-02-19T19:17:02.927",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-09T20:15:58.223",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory",
"Patch"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-9F5H-MMQ6-2X78
Vulnerability from github – Published: 2026-02-09 20:35 – Updated: 2026-02-09 22:39
VLAI?
Summary
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
Details
Summary
A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.
Proof of Concept
Required Permissions
- Administrator access
allowAdminChangesis enabled in production, which is against our security recommendations.
Steps to Reproduce
- Log in with an admin account
- Navigate to Settings → Fields → New field
- Choose Number as the field type
- Set the Prefix/Suffix Text field to:
<img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden>
- Save the field
- Add this field to any element (e.g., User Profile fields via Settings → Users → User Fields)
- Navigate to your account (
/admin/myaccount) or any user profile (/admin/users/{id}) - XSS executes when viewing the form
Mitigation
Sanitize prefix/suffix before rendering or use |e filter instead of |raw.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.21"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.8.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.17"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.16.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25496"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-09T20:35:47Z",
"nvd_published_at": "2026-02-09T20:15:58Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users\u0027 profiles.\n\n## Proof of Concept\n\n### Required Permissions\n\n- Administrator access\n- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).\n\n### Steps to Reproduce\n1. Log in with an admin account\n2. Navigate to **Settings** \u2192 **Fields** \u2192 **New field**\n3. Choose **Number** as the field type\n4. Set the **Prefix/Suffix Text** field to: \u003cimg width=\"611\" height=\"908\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63766ca4-4fa9-490b-8bea-37364137527d\" /\u003e\n```html\n\u003cimg src=x onerror=\"alert(\u0027Number Prefix/Suffix XSS\u0027)\" hidden\u003e\n```\n5. Save the field\n6. Add this field to any element (e.g., User Profile fields via **Settings** \u2192 **Users** \u2192 **User Fields**)\n7. Navigate to your account (`/admin/myaccount`) or any user profile (`/admin/users/{id}`)\n8. XSS executes when viewing the form \u003cimg width=\"1246\" height=\"677\" alt=\"image-1\" src=\"https://github.com/user-attachments/assets/dafeb2b7-905f-4a4b-b3d6-1c16a905498f\" /\u003e\n\n## Mitigation\nSanitize prefix/suffix before rendering or use `|e` filter instead of `|raw`.",
"id": "GHSA-9f5h-mmq6-2x78",
"modified": "2026-02-09T22:39:05Z",
"published": "2026-02-09T20:35:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS Vulnerable to Stored XSS in Number Prefix \u0026 Suffix Fields"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…