CVE-2026-25496 MEDIUM

CVE-2026-25496: Craft has a stored XSS in Number Prefix & Suffix Fields

Vendor Craftcms
Product cms
Weakness CWE-79 · XSS
Published February 9, 2026
Last update February 10, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 10, 2026 Record updated