Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
Published: 2026-02-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting via unsanitized Number field prefix and suffix settings
Action: Patch Now
AI Analysis

Impact

Craft CMS allows administrators to configure numeric fields with optional prefix and suffix text. These fields are rendered with the |md|raw Twig filter without escaping, permitting an attacker to submit script tags or other executable content. When the number field is displayed on a user profile, the injected script executes in the victim’s browser context, potentially allowing session hijacking, data theft, or malicious actions on behalf of the user. The vulnerability is a classic stored XSS (CWE‑79).

Affected Systems

The flaw exists in Craft CMS versions 4.0.0‑RC1 through 4.16.17 and 5.0.0‑RC1 through 5.8.21. Users of any of these releases should verify their installed version and apply the update if necessary.

Risk and Exploitability

The CVSS score of 4.8 reflects moderate impact. The EPSS score of <1% indicates that current likelihood of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to edit the number field settings—a capability normally restricted to administrators. Once the malicious prefix or suffix is stored, any visitor to the affected profile page will execute the payload, making the attack effective against both authenticated and unauthenticated users. Due to the privileged nature of the write access required, the attack vector is best described as an authenticated internal or compromised‑account exploitation. The overall risk to a system that has not applied the patch is moderate but incremental over time as more vulnerable sites become discovered.

Generated by OpenCVE AI on April 18, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.16.18, 5.8.22, or newer to apply the official patch.
  • Restrict or remove administrative access to Number field type settings; only trusted administrators should modify prefixes or suffixes.
  • Monitor system logs and asset configuration to detect unauthorized changes to Number field prefixes or suffixes, and temporarily disable public viewing of affected profiles if possible until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9f5h-mmq6-2x78 Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
Title Craft has a stored XSS in Number Prefix & Suffix Fields
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:13.566Z

Reserved: 2026-02-02T16:31:35.824Z

Link: CVE-2026-25496

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:20.434Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:58.223

Modified: 2026-02-19T19:17:02.927

Link: CVE-2026-25496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses