{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25496", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.824Z", "datePublished": "2026-02-09T19:45:19.835Z", "dateUpdated": "2026-02-10T16:00:13.566Z"}, "containers": {"cna": {"title": "Craft has a stored XSS in Number Prefix & Suffix Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"}, {"name": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"}, {"name": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.8.22", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.16.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:45:19.835Z"}, "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22."}], "source": {"advisory": "GHSA-9f5h-mmq6-2x78", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:19.770435Z", "id": "CVE-2026-25496", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:00:13.566Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:19.770435Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:20.434Z"}}], "cna": {"title": "Craft has a stored XSS in Number Prefix & Suffix Fields", "source": {"advisory": "GHSA-9f5h-mmq6-2x78", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.22"}, {"status": "affected", "version": ">= 4.0.0-RC1, < 4.16.18"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "name": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "name": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:45:19.835Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25496", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:00:13.566Z", "dateReserved": "2026-02-02T16:31:35.824Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T19:45:19.835Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "29EBFBEA-6CFF-49DD-BEE0-3E65E89DEA2E", "versionEndExcluding": "4.16.18", "versionStartExcluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1C69442-81E7-4695-B09C-E7811765D283", "versionEndExcluding": "5.8.22", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22."}, {"lang": "es", "value": "Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 hasta 4.16.17 y 5.0.0-RC1 hasta 5.8.21, existe una vulnerabilidad de XSS almacenado en la configuraci\u00f3n del tipo de campo N\u00famero. Los campos Prefijo y Sufijo se renderizan utilizando el filtro Twig |md|raw sin el escape adecuado, lo que permite la ejecuci\u00f3n de scripts cuando el campo N\u00famero se muestra en los perfiles de los usuarios. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."}], "id": "CVE-2026-25496", "lastModified": "2026-02-19T19:17:02.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T20:15:58.223", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-RC1,4.16.18)"}}], "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-18T18:13:32.616300+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 4.16.18, 5.8.22, or newer to apply the official patch.", "Restrict or remove administrative access to Number field type settings; only trusted administrators should modify prefixes or suffixes.", "Monitor system logs and asset configuration to detect unauthorized changes to Number field prefixes or suffixes, and temporarily disable public viewing of affected profiles if possible until the patch is applied."], "summary": {"action": "Patch Now", "impact": "Stored cross\u2011site scripting via unsanitized Number field prefix and suffix settings"}, "threat_synthesis": {"affected_systems": "The flaw exists in Craft CMS versions 4.0.0\u2011RC1 through 4.16.17 and 5.0.0\u2011RC1 through 5.8.21. Users of any of these releases should verify their installed version and apply the update if necessary.", "description_and_impact": "Craft CMS allows administrators to configure numeric fields with optional prefix and suffix text. These fields are rendered with the |md|raw Twig filter without escaping, permitting an attacker to submit script tags or other executable content. When the number field is displayed on a user profile, the injected script executes in the victim\u2019s browser context, potentially allowing session hijacking, data theft, or malicious actions on behalf of the user. The vulnerability is a classic stored XSS (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 4.8 reflects moderate impact. The EPSS score of <1% indicates that current likelihood of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to edit the number field settings\u2014a capability normally restricted to administrators. Once the malicious prefix or suffix is stored, any visitor to the affected profile page will execute the payload, making the attack effective against both authenticated and unauthenticated users. Due to the privileged nature of the write access required, the attack vector is best described as an authenticated internal or compromised\u2011account exploitation. The overall risk to a system that has not applied the patch is moderate but incremental over time as more vulnerable sites become discovered."}}}}, "created": "2026-02-10T15:37:28.248648+00:00", "updated": "2026-04-18T18:15:06.621651+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}