CVE-2026-25491 LOW

CVE-2026-25491: Craft has a Stored XSS in Entry Types Name

Vendor Craftcms

Product cms

Weakness CWE-79 · XSS

Published February 9, 2026

Last update February 10, 2026

View on NVD All CVEs

CVSS base score

1.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Key dates

02Disclosure timeline

February 9, 2026 CVE published

February 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25491 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-50580 CVE-2024-36146 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-22521 WordPress wp Hosting Performance Check Plugin <= 2.18.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-49550 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) CVE-2024-43227 WordPress BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer for Elementor & Gutenberg plugin <= 3.5.8 - Cross Site Scripting (XSS) vulnerability