CVE-2026-25491

Published: Feb 9, 2026Modified: Feb 19, 2026

1.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Affected (1)

Products: Craftcms: Craft Cms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Craftcms Craft Cms	From 5.0.0 to 5.8.21

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4

Source: security-advisories@github.com

Patch

https://github.com/craftcms/cms/releases/tag/5.8.22

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr

Source: security-advisories@github.com

ExploitPatchVendor Advisory

Timeline

No history available yet.