Low severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026
Craft has a Stored XSS in Entry Types Name
CVE-2026-25491
Description
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.22 | 5.8.22 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7pr4-wx9w-mqwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25491ghsaADVISORY
- github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.