CVE-2026-25491 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting CraftCMS, a popular content management system used for building digital experiences. The vulnerability exists in versions from 5.0.0-RC1 through 5.8.21 due to improper neutralization of input during web page generation. Specifically, Entry Type names are not sanitized when rendered in the Entry Types list, allowing an attacker with authenticated access and sufficient privileges to inject malicious JavaScript code. This stored XSS can execute in the context of the CMS administrative interface, potentially enabling attackers to hijack user sessions, perform actions on behalf of other users, or escalate privileges within the CMS environment. The vulnerability requires an attacker to have authenticated access with permission to create or modify Entry Types, and some user interaction is needed to trigger the malicious script. The CVSS 4.0 base score is 1.9, reflecting low severity due to the requirement for privileges and user interaction, as well as limited impact on confidentiality and integrity. The flaw was publicly disclosed and fixed in version 5.8.22 of CraftCMS. No known exploits have been reported in the wild to date. Organizations running affected versions should apply the patch promptly to eliminate the risk of exploitation.

For European organizations using CraftCMS versions between 5.0.0-RC1 and 5.8.21, this vulnerability poses a risk primarily to the confidentiality and integrity of the CMS administrative environment. An attacker with authenticated access and appropriate permissions could inject malicious scripts that execute in the browsers of other CMS users, potentially leading to session hijacking, unauthorized actions, or privilege escalation. While the vulnerability does not directly affect availability or require no authentication, the impact on internal CMS operations and data integrity could be significant, especially for organizations relying heavily on CraftCMS for content management and digital experience delivery. Exploitation could lead to unauthorized content changes or leakage of sensitive administrative information. Given the low CVSS score and the need for authenticated access, the threat is moderate but should not be underestimated in environments with multiple CMS administrators or editors. Failure to patch could expose organizations to targeted attacks, particularly in sectors where web content integrity is critical.

1. Upgrade CraftCMS to version 5.8.22 or later immediately to apply the official fix for this vulnerability. 2. Restrict permissions within the CMS to limit who can create or modify Entry Types, ensuring only trusted administrators have such privileges. 3. Implement strict input validation and sanitization policies on all user inputs, especially those that are rendered in administrative interfaces. 4. Conduct regular security audits and code reviews of CMS customizations to detect potential injection points. 5. Educate CMS users and administrators about the risks of stored XSS and encourage vigilance when interacting with Entry Type names or other user-generated content. 6. Monitor CMS logs for unusual activities related to Entry Type modifications or unexpected script executions. 7. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script sources. 8. Consider isolating the CMS administrative interface behind VPNs or IP whitelisting to reduce exposure to unauthorized users.