DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25496: Crafty Injections: Stored XSS in Craft CMS Number Fields

#security #cve #cybersecurity

Crafty Injections: Stored XSS in Craft CMS Number Fields

Vulnerability ID: CVE-2026-25496
CVSS Score: 4.8
Published: 2026-02-09

A classic case of 'trusted input' going rogue, CVE-2026-25496 is a Stored Cross-Site Scripting (XSS) vulnerability lurking within the unsuspecting 'Number' field settings of Craft CMS. By neglecting to sanitize HTML tags when parsing Markdown in field prefixes and suffixes, the system allows administrators with schema permissions to plant persistent JavaScript payloads that execute whenever the field is rendered.

TL;DR

Improper output encoding in Craft CMS Number fields allows Stored XSS. Specifically, the prefix and suffix settings are parsed as Markdown without HTML encoding, allowing raw script injection. Fixed in 4.16.18 and 5.8.22.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0: 4.8 (Medium)
  • Privileges Required: High (Admin)
  • Impact: Stored XSS / Session Hijacking
  • Vulnerable Component: Number Field Settings (Prefix/Suffix)

Affected Systems

  • Craft CMS 4.x < 4.16.18
  • Craft CMS 5.x < 5.8.22
  • Craft CMS: >= 4.0.0-RC1, < 4.16.18 (Fixed in: 4.16.18)
  • Craft CMS: >= 5.0.0-RC1, < 5.8.22 (Fixed in: 5.8.22)

Code Analysis

Commit: cb5fb0e

Fixed potential XSS in Number field inputs by encoding markdown

--- a/src/templates/_components/fieldtypes/Number/input.twig
+++ b/src/templates/_components/fieldtypes/Number/input.twig
@@ -25,7 +25,7 @@
 <div class="flex">
     {% if hasPrefix %}
         <div aria-hidden="true">
-            {{ prefix|t('site')|md(inlineOnly=true)|raw }}
+            {{ prefix|t('site')|md(inlineOnly=true,encode=true)|raw }}
         </div>
     {% endif %}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Injection of HTML tags into Number Field Prefix/Suffix configuration.

Mitigation Strategies

  • Disable 'allowAdminChanges' in production environments.
  • Implement strict Content Security Policy (CSP) headers.
  • Audit existing Number fields for HTML tags in Prefix/Suffix.

Remediation Steps:

  1. Update Craft CMS to version 4.16.18 or 5.8.22 via composer.
  2. Run 'composer update craftcms/cms'.
  3. Verify the update with 'php craft -V'.

References

Read the full report for CVE-2026-25496 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)