GHSA-9F5H-MMQ6-2X78

Vulnerability from github – Published: 2026-02-09 20:35 – Updated: 2026-02-09 22:39
VLAI?
Summary
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
Details

Summary

A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.

Proof of Concept

Required Permissions

Steps to Reproduce

  1. Log in with an admin account
  2. Navigate to SettingsFieldsNew field
  3. Choose Number as the field type
  4. Set the Prefix/Suffix Text field to: image
<img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden>
  1. Save the field
  2. Add this field to any element (e.g., User Profile fields via SettingsUsersUser Fields)
  3. Navigate to your account (/admin/myaccount) or any user profile (/admin/users/{id})
  4. XSS executes when viewing the form image-1

Mitigation

Sanitize prefix/suffix before rendering or use |e filter instead of |raw.

Severity ?
4.8 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.17"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.16.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T20:35:47Z",
    "nvd_published_at": "2026-02-09T20:15:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users\u0027 profiles.\n\n## Proof of Concept\n\n### Required Permissions\n\n- Administrator access\n- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).\n\n### Steps to Reproduce\n1. Log in with an admin account\n2. Navigate to **Settings** \u2192 **Fields** \u2192 **New field**\n3. Choose **Number** as the field type\n4. Set the **Prefix/Suffix Text** field to: \u003cimg width=\"611\" height=\"908\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63766ca4-4fa9-490b-8bea-37364137527d\" /\u003e\n```html\n\u003cimg src=x onerror=\"alert(\u0027Number Prefix/Suffix XSS\u0027)\" hidden\u003e\n```\n5. Save the field\n6. Add this field to any element (e.g., User Profile fields via **Settings** \u2192 **Users** \u2192 **User Fields**)\n7. Navigate to your account (`/admin/myaccount`) or any user profile (`/admin/users/{id}`)\n8. XSS executes when viewing the form \u003cimg width=\"1246\" height=\"677\" alt=\"image-1\" src=\"https://github.com/user-attachments/assets/dafeb2b7-905f-4a4b-b3d6-1c16a905498f\" /\u003e\n\n## Mitigation\nSanitize prefix/suffix before rendering or use `|e` filter instead of `|raw`.",
  "id": "GHSA-9f5h-mmq6-2x78",
  "modified": "2026-02-09T22:39:05Z",
  "published": "2026-02-09T20:35:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS Vulnerable to Stored XSS in Number Prefix \u0026 Suffix Fields"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.