What is CVE-2026-25496?

## Summary A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. ## Proof of Concept ### Required Permissions - Administrator access - `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft). ### Steps to Reproduce 1. Log in with an admin account 2. Navigate to **Settings** → **Fields** → **New field** 3. Choose **Number** as the field type 4. Set the **Prefix/Suffix Text** field to: ```html ``` 5. Save the field 6. Add this field to any element (e.g., User Profile fields via **Settings** → **Users** → **User Fields**) 7. Navigate to your account (`/admin/myaccount`) or any user profile (`/admin/users/{id}`) 8. XSS executes when viewing the form ## Mitigation Sanitize prefix/suffix before rendering or use `|e` filter instead of `|raw`.

What is the severity of CVE-2026-25496?

CVE-2026-25496 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-25496?

No known public exploits are currently available for CVE-2026-25496.

Is there a patch available for CVE-2026-25496?

Yes, patches are available for CVE-2026-25496. Check the vendor advisories for update instructions.

CVE-2026-25496 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.

Proof of Concept

Required Permissions

Administrator access
allowAdminChanges is enabled in production, which is against our security recommendations.

Steps to Reproduce

Log in with an admin account
Navigate to Settings → Fields → New field
Choose Number as the field type
Set the Prefix/Suffix Text field to: <img width="611" height="908" alt="image" src="https://github.com/user-attachments/assets/63766ca4-4fa9-490b-8bea-37364137527d" />

<img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden>

Save the field
Add this field to any element (e.g., User Profile fields via Settings → Users → User Fields)
Navigate to your account (/admin/myaccount) or any user profile (/admin/users/{id})
XSS executes when viewing the form <img width="1246" height="677" alt="image-1" src="https://github.com/user-attachments/assets/dafeb2b7-905f-4a4b-b3d6-1c16a905498f" />

Mitigation

Sanitize prefix/suffix before rendering or use |e filter instead of |raw.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com