CVE-2026-25496

MEDIUM SEVERITY

Vulnerability Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.

Vulnerability Details

Published Date

February 09, 2026

Last Modified

February 10, 2026

CWE ID

CWE-79

Source

NVD

Vendor

craftcms

Product

cms

External References

https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
https://github.com/craftcms/cms/releases/tag/5.8.22
https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78

CVE-2026-25496

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment