Login Sign Up

CVE-2026-25491

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

CVE-2026-25491 is a stored cross-site scripting (XSS) vulnerability in Craft CMS that allows attackers to inject malicious scripts via Entry Type names. These scripts execute when administrators view the Entry Types list, potentially compromising admin sessions. All Craft CMS installations from version 5.0.0-RC1 through 5.8.21 are affected.

💻 Affected Systems

Products:
  • Craft CMS
Versions: 5.0.0-RC1 to 5.8.21
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where users can create or modify Entry Types (typically admin users).

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to full system compromise, data theft, or website defacement.

🟠

Likely Case

Session hijacking of admin users, unauthorized actions within the CMS, or credential theft.

🟢

If Mitigated

Limited impact if only trusted users can create Entry Types and admin sessions are properly secured.

🌐 Internet-Facing: MEDIUM - Requires admin access to exploit but affects internet-facing admin interfaces.
🏢 Internal Only: LOW - Only affects users with Entry Type creation permissions, typically administrators.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with Entry Type creation/modification permissions. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.22

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr

Restart Required: No

Instructions:

1. Backup your Craft CMS installation and database. 2. Update Craft CMS to version 5.8.22 or later via Composer: 'composer require craftcms/cms:^5.8.22'. 3. Clear caches if necessary. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Entry Type Management

all

Temporarily remove Entry Type creation/modification permissions from all non-essential users.

Input Validation Filter

all

Implement server-side filtering to sanitize Entry Type names before storage.

🧯 If You Can't Patch

  • Restrict Entry Type management to only essential, trusted administrators.
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version in admin panel or via 'composer show craftcms/cms' command.

Check Version:

composer show craftcms/cms | grep versions

Verify Fix Applied:

Confirm version is 5.8.22 or later and test that HTML/script tags in Entry Type names are properly escaped.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Entry Type creation/modification logs
  • Admin session anomalies

Network Indicators:

  • Suspicious JavaScript payloads in HTTP requests to Entry Type endpoints

SIEM Query:

source="craft_logs" AND (event="entry_type_created" OR event="entry_type_updated") AND data.name CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2026-25491
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (12.2th percentile)
Published: February 9, 2026
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25491, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)