CVE-2026-25496
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
描述
## Summary A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. ## Proof of Concept ### Required Permissions - Administrator access - `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft). ### Steps to Reproduce 1. Log in with an admin account 2. Navigate to **Settings** → **Fields** → **New field** 3. Choose **Number** as the field type 4. Set the **Prefix/Suffix Text** field to: <img width="611" height="908" alt="image" src="https://github.com/user-attachments/assets/63766ca4-4fa9-490b-8bea-37364137527d" /> ```html <img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden> ``` 5. Save the field 6. Add this field to any element (e.g., User Profile fields via **Settings** → **Users** → **User Fields**) 7. Navigate to your account (`/admin/myaccount`) or any user profile (`/admin/users/{id}`) 8. XSS executes when viewing the form <img width="1246" height="677" alt="image-1" src="https://github.com/user-attachments/assets/dafeb2b7-905f-4a4b-b3d6-1c16a905498f" /> ## Mitigation Sanitize prefix/suffix before rendering or use `|e` filter instead of `|raw`.
如何修補 CVE-2026-25496
要修補 CVE-2026-25496,請將受影響套件升級到下列已修補版本。
- —升級至 5.8.22 或更新版本
CVE-2026-25496 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 5.0.0-RC1, < 5.8.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |