CVE-2026-25496
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
Description
## Summary A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. ## Proof of Concept ### Required Permissions - Administrator access - `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft). ### Steps to Reproduce 1. Log in with an admin account 2. Navigate to **Settings** → **Fields** → **New field** 3. Choose **Number** as the field type 4. Set the **Prefix/Suffix Text** field to: <img width="611" height="908" alt="image" src="https://github.com/user-attachments/assets/63766ca4-4fa9-490b-8bea-37364137527d" /> ```html <img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden> ``` 5. Save the field 6. Add this field to any element (e.g., User Profile fields via **Settings** → **Users** → **User Fields**) 7. Navigate to your account (`/admin/myaccount`) or any user profile (`/admin/users/{id}`) 8. XSS executes when viewing the form <img width="1246" height="677" alt="image-1" src="https://github.com/user-attachments/assets/dafeb2b7-905f-4a4b-b3d6-1c16a905498f" /> ## Mitigation Sanitize prefix/suffix before rendering or use `|e` filter instead of `|raw`.
How to fix CVE-2026-25496
To remediate CVE-2026-25496, upgrade the affected package to a fixed version below.
- —upgrade to 5.8.22 or later
Is CVE-2026-25496 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.0.0-RC1, < 5.8.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |