CVE-2026-25491

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.21

Description Craft is susceptible to a stored cross-site scripting (XSS) issue due to insufficient sanitization of Entry Type names. Specifically, the application does not properly sanitize the name when displaying it in the Entry Types list. An attacker with admin access and allowAdminChanges enabled can inject malicious code, such as a JavaScript payload, into the Entry Type name field. This injected code will then be executed when other administrators view the Entry Types list at the /admin/settings/entry-types endpoint. The vulnerability is triggered by providing a crafted input like <img src=x onerror="alert('XSS-EntryTypes')" hidden> as the Entry Type name.

Recommendations Craft versions 5.0.0-RC1 through 5.8.21 should be updated to version 5.8.22 or later.