Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-b25s-j3du-sfg5
Vulnerability ID VCID-b25s-j3du-sfg5
Aliases CVE-2026-25496
GHSA-9f5h-mmq6-2x78
Summary Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2026-25496
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-9f5h-mmq6-2x78
cvssv4 4.8 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 4.8 https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
generic_textual MODERATE https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
ssvc Track https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
cvssv4 4.8 https://github.com/craftcms/cms/releases/tag/4.16.18
generic_textual MODERATE https://github.com/craftcms/cms/releases/tag/4.16.18
cvssv4 4.8 https://github.com/craftcms/cms/releases/tag/5.8.22
generic_textual MODERATE https://github.com/craftcms/cms/releases/tag/5.8.22
ssvc Track https://github.com/craftcms/cms/releases/tag/5.8.22
cvssv3.1_qr MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
cvssv4 4.8 https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
cvssv4 4.8 https://nvd.nist.gov/vuln/detail/CVE-2026-25496
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-25496
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-25496
https://github.com/craftcms/cms/releases/tag/4.16.18
5.8.22 https://github.com/craftcms/cms/releases/tag/5.8.22
cb5fb0e979e72f315c9178fc031883d49527f513 https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
CVE-2026-25496 https://nvd.nist.gov/vuln/detail/CVE-2026-25496
GHSA-9f5h-mmq6-2x78 https://github.com/advisories/GHSA-9f5h-mmq6-2x78
GHSA-9f5h-mmq6-2x78 https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/ Found at https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/releases/tag/4.16.18
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/releases/tag/5.8.22
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/ Found at https://github.com/craftcms/cms/releases/tag/5.8.22
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-25496
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.08265
EPSS Score 0.00027
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:41:30.511350+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/25xxx/CVE-2026-25496.json 38.6.0