CVE-2026-25496

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513	Patch
https://github.com/craftcms/cms/releases/tag/5.8.22	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78	Exploit Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

19 Feb 2026, 19:17

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513 -~~	() https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513 - Patch
References	~~() https://github.com/craftcms/cms/releases/tag/5.8.22 -~~	() https://github.com/craftcms/cms/releases/tag/5.8.22 - Release Notes
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78 - Exploit, Vendor Advisory, Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
First Time		Craftcms Craftcms craft Cms
Summary		(es) Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, existe una vulnerabilidad de XSS almacenado en la configuración del tipo de campo Número. Los campos Prefijo y Sufijo se renderizan utilizando el filtro Twig \|md\|raw sin el escape adecuado, lo que permite la ejecución de scripts cuando el campo Número se muestra en los perfiles de los usuarios. Este problema está parcheado en las versiones 4.16.18 y 5.8.22.
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::

09 Feb 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:17

NVD link : CVE-2026-25496

Mitre link : CVE-2026-25496

CVE.ORG link : CVE-2026-25496

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10