CVE-2026-25496

MEDIUM EPSS 27.9%

Published Feb 9, 20264mo ago · Modified Jun 17, 20261w ago

4.8 CVSS 4.0

Medium

Published Feb 9, 2026 4mo ago

Last Modified Jun 17, 2026 1w ago

Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.

CVSS Details

Base Score

4.8

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

27.9% percentile

Exploit & Patch Status

Public Exploit Known

Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 8

Vendor	Product	Version	Range
craftcms	craft_cms	*	>4.0.0 – <4.16.18
craftcms	craft_cms	*	>5.0.0 – <5.8.22
craftcms	craft_cms	4.0.0	any
craftcms	craft_cms	4.0.0	any
craftcms	craft_cms	4.0.0	any
craftcms	craft_cms	4.0.0	any
craftcms	craft_cms	5.0.0	any
craftcms	craft_cms	5.0.0	any

References 3

github.com https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513

Patch
github.com https://github.com/craftcms/cms/releases/tag/5.8.22

Release Notes
github.com https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78

ExploitPatchVendor Advisory

Remediation

github.com https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513

Patch
github.com https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78

ExploitPatchVendor Advisory