Craft has a stored XSS in Number Prefix & Suffix...

4.8 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.

Basic Information

ID CVE-2026-25496

Source GitHub_M

Published Feb 9, 2026 at 19:45

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0-RC1, < 5.8.22

Affected Versions craftcms cms >= 5.0.0-RC1, < 5.8.22
craftcms cms >= 4.0.0-RC1, < 4.16.18

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.",
    "published": "2026-02-09T19:45:19.835Z",
    "modified": "2026-02-09T19:45:19.835Z",
    "type": "cve",
    "title": "Craft has a stored XSS in Number Prefix & Suffix Fields",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78\nhttps://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513\nhttps://github.com/craftcms/cms/releases/tag/5.8.22",
    "id": "CVE-2026-25496",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0-RC1, < 5.8.22\ncraftcms cms >= 4.0.0-RC1, < 4.16.18",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0-RC1, < 5.8.22",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft has a stored XSS in Number Prefix & Suffix Fields_CVE-2026-25496