CVE-2026-25496

Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21

Description Craft is a platform for creating digital experiences. A stored Cross-Site Scripting (XSS) issue exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, which allows for script execution when the Number field is displayed on users' profiles. The vulnerable fields are susceptible because of the lack of proper input sanitization.

Recommendations Update to Craft version 4.16.18 or later. Update to Craft version 5.8.22 or later.