CVE-2026-25496: Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users’ profiles.
References
- github.com/advisories/GHSA-9f5h-mmq6-2x78
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
- github.com/craftcms/cms/releases/tag/4.16.18
- github.com/craftcms/cms/releases/tag/5.8.22
- github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
- nvd.nist.gov/vuln/detail/CVE-2026-25496
Code Behaviors & Features
Detect and mitigate CVE-2026-25496 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →