Plateforme
php
Composant
craftcms/cms
Corrigé dans
5.0.1
5.8.22
CVE-2026-25491 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.8.9 and earlier. This vulnerability allows an attacker to inject malicious scripts into the Entry Types list by manipulating the Entry Type name field. Successful exploitation requires admin access and the allowAdminChanges setting to be enabled in production, which is a security misconfiguration. A fix is available in version 5.8.22.
The primary impact of CVE-2026-25491 is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This could lead to session hijacking, credential theft, redirection to malicious websites, or defacement of the Craft CMS administration interface. Because the vulnerability resides within the admin panel, the attacker needs admin privileges. The allowAdminChanges setting, if enabled, significantly increases the risk by allowing changes to be made in production environments, bypassing typical development and testing workflows. This vulnerability is similar to other XSS vulnerabilities where user-supplied input is not properly sanitized before being displayed.
CVE-2026-25491 was publicly disclosed on 2026-02-09. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 2.5 indicates a low probability of exploitation, primarily due to the requirement for admin access and the need to enable allowAdminChanges.
Organizations using Craft CMS in production environments, particularly those with admin users who may inadvertently enable the allowAdminChanges setting, are at risk. Shared hosting environments where multiple users share the same Craft CMS instance are also vulnerable, as an attacker could potentially compromise an admin account and exploit the vulnerability.
• php: Examine Craft CMS logs for POST requests to /admin/settings/entry-types containing suspicious HTML or JavaScript code in the Name parameter. Use grep to search for patterns like <script> or onerror= within log entries.
grep '<script>.*onerror=' /path/to/craftcms/storage/logs/web.log• generic web: Monitor access logs for requests to /admin/settings/entry-types originating from unusual IP addresses or user agents. Check response headers for unexpected content or redirects.
curl -I https://example.com/admin/settings/entry-types | grep Content-Typedisclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
The primary mitigation for CVE-2026-25491 is to upgrade Craft CMS to version 5.8.22 or later, which includes the necessary fix. If upgrading immediately is not feasible, disable the allowAdminChanges setting in production. This will prevent changes to the CMS configuration in a live environment. As a temporary workaround, implement strict input validation and output encoding on the Entry Type name field using a web application firewall (WAF) or proxy. Monitor Craft CMS logs for suspicious activity, particularly attempts to create or modify Entry Types with unusual characters or HTML tags. After upgrading, confirm the fix by attempting to create an Entry Type with a malicious name (e.g., <script>alert('XSS')</script>) and verifying that the script is not executed.
Mettez à jour Craft CMS à la version 5.8.22 ou supérieure. Cette version contient la correction pour la vulnérabilité XSS stockée dans les noms des types d'entrée. La mise à jour peut être effectuée via le tableau de bord de Craft CMS ou via Composer.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25491 is a stored Cross-Site Scripting (XSS) vulnerability in Craft CMS versions 5.8.9 and earlier, allowing attackers to inject malicious scripts via Entry Type names.
You are affected if you are using Craft CMS versions 5.8.9 or earlier and have admin access to the settings panel with allowAdminChanges enabled.
Upgrade Craft CMS to version 5.8.22 or later. If immediate upgrade is not possible, disable the allowAdminChanges setting in production.
As of the current disclosure date, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the official Craft CMS security advisory for details: https://craftcms.com/knowledge-base/securing-craft.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.