CVE-2026-25491 Overview
CVE-2026-25491 is a stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS, a popular platform for creating digital experiences. The vulnerability exists in versions 5.0.0-RC1 through 5.8.21, where Entry Type names are not properly sanitized when displayed in the Entry Types list. An attacker with administrative privileges could inject malicious scripts that execute when other users view the Entry Types configuration page.
Critical Impact
Stored XSS in administrative interface allows persistent script injection that could compromise admin sessions, steal credentials, or perform unauthorized actions on behalf of authenticated users.
Affected Products
- Craft CMS versions 5.0.0-RC1 through 5.8.21
- Craft CMS Entry Type management functionality
- Craft CMS Control Panel (administrative interface)
Discovery Timeline
- 2026-02-09 - CVE-2026-25491 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25491
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) occurs within the Craft CMS Entry Types management system. The root issue stems from the getUiLabel() method output being rendered directly into HTML without proper encoding. When an administrator creates or edits an Entry Type and includes JavaScript code in the name field, that payload is stored in the database. Subsequently, when any user with access to the Entry Types list views the page, the malicious script executes in their browser context.
The attack requires high privileges (administrative access to create/modify Entry Types) but once stored, the payload persists and executes for all users viewing the affected page. This creates an opportunity for privilege abuse scenarios where a compromised or malicious administrator could target other high-privilege users.
Root Cause
The vulnerability originates in the src/services/Entries.php file where the Entry Type label is retrieved via $entryType->getUiLabel() and passed directly to HTML rendering functions without proper encoding. The missing call to Html::encode() allows raw HTML and JavaScript to pass through and be interpreted by the browser as executable code rather than display text.
Attack Vector
An attacker with administrative privileges to the Craft CMS Control Panel can exploit this vulnerability by:
- Navigating to the Entry Types configuration section
- Creating a new Entry Type or editing an existing one
- Injecting a malicious JavaScript payload into the Entry Type name field (e.g., <script>alert(document.cookie)</script>)
- Saving the Entry Type, which stores the unsanitized payload in the database
- When any authenticated user visits the Entry Types list, the stored script executes in their browser
$usages = $this->allEntryTypeUsages();
foreach ($entryTypes as $entryType) {
- $label = $entryType->getUiLabel();
+ $label = Html::encode($entryType->getUiLabel());
$chipCellContent = Html::beginTag('div', ['class' => 'inline-chips']) .
Cp::chipHtml($entryType, [
'labelHtml' => Html::a($label, $entryType->getCpEditUrl(), [
Source: GitHub Commit
Detection Methods for CVE-2026-25491
Indicators of Compromise
- Unusual or suspicious characters in Entry Type names including <script>, javascript:, onerror=, or other HTML event handlers
- Entry Type names containing encoded characters such as < or %3C that decode to angle brackets
- Unexpected JavaScript execution or browser console errors when viewing the Entry Types list
- Database entries in the Entry Types table containing HTML or script tags
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor application logs for unusual Entry Type creation or modification activity
- Perform regular audits of Entry Type names in the database for suspicious content
- Deploy Web Application Firewall (WAF) rules to detect XSS payloads in POST requests to Entry Type endpoints
Monitoring Recommendations
- Enable detailed audit logging for all Control Panel administrative actions
- Configure browser-based XSS detection and alerting through CSP violation reports
- Monitor for session cookie theft or unexpected admin session activity following Entry Type modifications
How to Mitigate CVE-2026-25491
Immediate Actions Required
- Upgrade Craft CMS to version 5.8.22 or later immediately
- Audit all existing Entry Type names in the database for malicious content
- Review administrative user accounts for unauthorized access or suspicious activity
- Consider temporarily restricting Entry Type modification permissions until patching is complete
Patch Information
Craft CMS has released version 5.8.22 which addresses this vulnerability by adding proper HTML encoding to Entry Type labels before rendering. The fix applies Html::encode() to the output of getUiLabel() in the src/services/Entries.php file, ensuring that any special characters are escaped and rendered as text rather than executable HTML.
For detailed information, refer to the GitHub Security Advisory GHSA-7pr4-wx9w-mqwr and the official release notes for version 5.8.22.
Workarounds
- If immediate patching is not possible, restrict access to Entry Type management to only the most trusted administrators
- Implement strict Content Security Policy headers to mitigate XSS impact by blocking inline script execution
- Manually sanitize existing Entry Type names by removing any HTML or script content from the database
- Apply Web Application Firewall rules to filter XSS patterns in requests to the Craft CMS Control Panel
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
