Platform
php
Component
craftcms/cms
Fixed in
5.0.1
5.8.22
CVE-2026-25491 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.8.9 and earlier. This vulnerability allows an attacker to inject malicious scripts into the Entry Types list by manipulating the Entry Type name field. Successful exploitation requires admin access and the allowAdminChanges setting to be enabled in production, which is a security misconfiguration. A fix is available in version 5.8.22.
The primary impact of CVE-2026-25491 is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This could lead to session hijacking, credential theft, redirection to malicious websites, or defacement of the Craft CMS administration interface. Because the vulnerability resides within the admin panel, the attacker needs admin privileges. The allowAdminChanges setting, if enabled, significantly increases the risk by allowing changes to be made in production environments, bypassing typical development and testing workflows. This vulnerability is similar to other XSS vulnerabilities where user-supplied input is not properly sanitized before being displayed.
CVE-2026-25491 was publicly disclosed on 2026-02-09. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 2.5 indicates a low probability of exploitation, primarily due to the requirement for admin access and the need to enable allowAdminChanges.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25491 is to upgrade Craft CMS to version 5.8.22 or later, which includes the necessary fix. If upgrading immediately is not feasible, disable the allowAdminChanges setting in production. This will prevent changes to the CMS configuration in a live environment. As a temporary workaround, implement strict input validation and output encoding on the Entry Type name field using a web application firewall (WAF) or proxy. Monitor Craft CMS logs for suspicious activity, particularly attempts to create or modify Entry Types with unusual characters or HTML tags. After upgrading, confirm the fix by attempting to create an Entry Type with a malicious name (e.g., <script>alert('XSS')</script>) and verifying that the script is not executed.
Update Craft CMS to version 5.8.22 or higher. This version contains the fix for the stored XSS vulnerability in Entry Type names. The update can be performed through the Craft CMS control panel or using Composer.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25491 is a stored Cross-Site Scripting (XSS) vulnerability in Craft CMS versions 5.8.9 and earlier, allowing attackers to inject malicious scripts via Entry Type names.
You are affected if you are using Craft CMS versions 5.8.9 or earlier and have admin access to the settings panel with allowAdminChanges enabled.
Upgrade Craft CMS to version 5.8.22 or later. If immediate upgrade is not possible, disable the allowAdminChanges setting in production.
As of the current disclosure date, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the official Craft CMS security advisory for details: https://craftcms.com/knowledge-base/securing-craft.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.