Description
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
Published: 2026-02-09
Score: 1.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that occurs when the name of an Entry Type is not sanitized before being displayed in the Entry Types list. An attacker who can insert a malicious value into an Entry Type name can execute arbitrary JavaScript in the browsers of any user who later views that list, enabling client‑side code execution, session hijacking or defacement. The flaw is rated CVSS 1.9, indicating a low overall severity, but it still permits unauthenticated code execution in the context of a logged‑in user.

Affected Systems

Craft CMS versions from 5.0.0‑RC1 up to and including 5.8.21 are affected. Administrators or users with the ability to create or edit Entry Types on any affected installation could exploit the flaw before it is patched. Versions 5.8.22 and later contain the fix.

Risk and Exploitability

Given the low CVSS score of 1.9 and an EPSS score of less than 1 percent, the likelihood of an active exploitation is small, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker possessing content authoring privileges who injects a malicious script into an Entry Type name; once the name is stored, the code runs for anyone who subsequently views the Entry Types list. Because the flaw requires edit access to the entry type, broader server‑side code execution cannot be achieved without also compromising higher privileges.

Generated by OpenCVE AI on April 17, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.8.22 or later.
  • Restrict the permissions that allow creating or editing Entry Type names to trusted administrators only.
  • Enable a web application firewall or input sanitization rule to reject or escape script tags in Entry Type names.

Generated by OpenCVE AI on April 17, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7pr4-wx9w-mqwr Craft CMS Vulnerable to Stored XSS in Entry Types Name
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
Title Craft has a Stored XSS in Entry Types Name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:46.911Z

Reserved: 2026-02-02T16:31:35.823Z

Link: CVE-2026-25491

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:23.236Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:57.483

Modified: 2026-02-19T19:26:43.110

Link: CVE-2026-25491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses