CVE-2026-25491

LOW SEVERITY

Vulnerability Description

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Vulnerability Details

Published Date

February 09, 2026

Last Modified

February 10, 2026

CWE ID

CWE-79

Source

NVD

Vendor

craftcms

Product

cms

External References

https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4
https://github.com/craftcms/cms/releases/tag/5.8.22
https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr

CVE-2026-25491

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment