Craft has a stored XSS in Number Prefix & Suffix Fields
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Craft CMS Number field Prefix/Suffix settings allows script execution when viewing user profiles, patched in versions 4.16.18 and 5.8.22.
Vulnerability
Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 contain a stored cross-site scripting (XSS) vulnerability in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing arbitrary HTML/JavaScript to be embedded and executed when the field is displayed [1][4].
Exploitation
Exploitation requires administrator-level access with allowAdminChanges enabled in production, which is against security recommendations. An attacker with admin privileges can create a New Number field and set a malicious payload in the Prefix or Suffix field, such as an <img> tag with an onerror handler. After adding the field to an element type (e.g., user profile fields), the payload executes whenever a user views that profile [4].
Impact
When a victim visits a page containing the crafted Number field, the injected script runs in the context of their session. This can lead to session hijacking, data exfiltration, or further unauthorized actions within the Craft control panel.
Mitigation
The vulnerability is patched in Craft CMS versions 4.16.18 and 5.8.22 [2][4]. Administrators should update immediately. As a workaround, disabling allowAdminChanges in production reduces risk. The advisory recommends sanitizing prefix/suffix values with the |e filter rather than |raw [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.22 | 5.8.22 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.16.18 | 4.16.18 |
Affected products
2Patches
11 file changed · +2 −2
src/templates/_components/fieldtypes/Number/input.twig+2 −2 modified@@ -25,7 +25,7 @@ <div class="flex"> {% if hasPrefix %} <div aria-hidden="true"> - {{ prefix|t('site')|md(inlineOnly=true)|raw }} + {{ prefix|t('site')|md(inlineOnly=true,encode=true)|raw }} </div> {% endif %} <div> @@ -40,7 +40,7 @@ </div> {% if hasSuffix %} <div aria-hidden="true"> - {{ suffix|t('site')|md(inlineOnly=true)|raw }} + {{ suffix|t('site')|md(inlineOnly=true,encode=true)|raw }} </div> {% endif %} </div>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9f5h-mmq6-2x78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25496ghsaADVISORY
- github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.16.18ghsaWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.