CVE-2026-25491
published 2026-02-09CVE-2026-25491: Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.31%
22.6th percentile
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.22 | 5.8.22 |
| craftcms | craft_cms | >= 5.0.0 < 5.8.21 | 5.8.21 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.01.9LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS Vulnerable to Stored XSS in Entry Types Name
ghsa·2026-02-09
CVE-2026-25491 [LOW] CWE-79 Craft CMS Vulnerable to Stored XSS in Entry Types Name
Craft CMS Vulnerable to Stored XSS in Entry Types Name
## Summary
Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.
---
## Proof of Concept
### Required Permissions (Attacker)
- Admin access (only admins have access to the settings page)
- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).
### Steps to Reproduce
1. Log in as an attacker.
2. Go to **Settings** -> **Entry Types** (`/admin/settings/entry-types`).
3. Create a new Entry Type.
4. Set **Name** to:
```html
```
5. Save the Entry Type, and you’ll be redirected back to the entry types table automatically.
6. Notice the alert fires when the entry types table renders.
OSV
Craft CMS Vulnerable to Stored XSS in Entry Types Name
osv·2026-02-09
CVE-2026-25491 [LOW] Craft CMS Vulnerable to Stored XSS in Entry Types Name
Craft CMS Vulnerable to Stored XSS in Entry Types Name
## Summary
Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.
---
## Proof of Concept
### Required Permissions (Attacker)
- Admin access (only admins have access to the settings page)
- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).
### Steps to Reproduce
1. Log in as an attacker.
2. Go to **Settings** -> **Entry Types** (`/admin/settings/entry-types`).
3. Create a new Entry Type.
4. Set **Name** to:
```html
```
5. Save the Entry Type, and you’ll be redirected back to the entry types table automatically.
6. Notice the alert fires when the entry types table renders.
No detection rules found.
No public exploits indexed.
2026-02-09
Published