Craft CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-25496 - Vulnerability Database

Craft CMS

Craft CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-25496

Medium

Reference: CVE-2026-25496

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-25496

Title: Craft CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the mdraw Twig filter without proper escaping allowing script execution when the Number field is displayed on users39 profiles. This issue is patched in versions 4.16.18 and 5.8.22.