CVE-2026-25491: Craft CMS Vulnerable to Stored XSS in Entry Types Name

February 9, 2026

Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.

References

github.com/advisories/GHSA-7pr4-wx9w-mqwr
github.com/craftcms/cms
github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4
github.com/craftcms/cms/releases/tag/5.8.22
github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr
nvd.nist.gov/vuln/detail/CVE-2026-25491

Code Behaviors & Features

Detect and mitigate CVE-2026-25491 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →