CVE-2026-25496 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-25496?

CVE-2026-25496 has a CVSS score of 4.8 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in Craft CMS allows attackers to inject malicious scripts into Number field prefixes/suffixes. When these fields are displayed on user profiles, the scripts execute in victims' browsers. All Craft CMS installations using vulnerable versions are affected.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Craft CMS allows attackers to inject malicious scripts into Number field prefixes/suffixes. When these fields are displayed on user profiles, the scripts execute in victims' browsers. All Craft CMS installations using vulnerable versions are affected.

💻 Affected Systems

Products:

Craft CMS

Versions: 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using Number field types with Prefix or Suffix settings on user profiles.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on visitors' systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of user profiles, or limited account compromise.

🟢

If Mitigated

If proper content security policies and input validation are in place, impact is reduced to potential UI manipulation without data theft.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to modify Number field settings (typically admin access), but once stored, affects all users viewing profiles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.18 and 5.8.22

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78

Restart Required: No

Instructions:

1. Backup your Craft installation and database. 2. Update via Composer: 'composer require craftcms/cms:^4.16.18' or 'composer require craftcms/cms:^5.8.22'. 3. Clear caches: 'php craft clear-caches/all'. 4. Verify update via Control Panel.

🔧 Temporary Workarounds

Disable Number fields on user profiles

all

Temporarily remove Number field types from user profile layouts

Navigate to Settings → Fields → Edit Number fields → Remove from User field layout

Implement Content Security Policy

all

Add CSP headers to prevent script execution

Add to web.config or .htaccess: 'Content-Security-Policy: script-src 'self''

🧯 If You Can't Patch

Implement strict input validation for all Number field Prefix/Suffix values
Enable CSP headers with script-src restrictions and consider disabling user profile Number fields

🔍 How to Verify

Check if Vulnerable:

Check Craft version in Control Panel → Utilities → System Report or run: php craft --version

Check Version:

php craft --version

Verify Fix Applied:

Confirm version is 4.16.18+ or 5.8.22+ and test Number field rendering with script-like input

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to field settings
Admin user actions adding script tags to field configurations

Network Indicators:

Unexpected script tags in profile page responses
External script loads from user profile pages

SIEM Query:

source="craft.log" AND ("field settings" OR "Number field") AND ("script" OR "<script" OR "javascript:")

📊 Metadata

CVE ID: CVE-2026-25496

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: February 9, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513 Patch
https://github.com/craftcms/cms/releases/tag/5.8.22 Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78 Exploit,Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25496, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Number fields on user profiles

Implement Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities