Vulnerability Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | < 4.16.18 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513Patch
- https://github.com/craftcms/cms/releases/tag/5.8.22Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78ExploitVendor AdvisoryPatch
FAQ
What is CVE-2026-25496?
CVE-2026-25496 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The...
How severe is CVE-2026-25496?
CVE-2026-25496 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25496?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.