CVE-2026-25496 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Craft CMS platform, specifically affecting versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. Craft CMS is widely used for building digital experiences and content management. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The root cause is the use of the raw Twig filter (|md|raw) to render the Prefix and Suffix fields in the Number field type settings without adequate escaping or sanitization. This allows an attacker to inject malicious JavaScript code into these fields, which is then stored and executed in the context of user profiles when viewed by other users or administrators. The vulnerability does not require authentication to exploit but does require user interaction to trigger the malicious script execution. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H but with user interaction UI:P), and low impact on confidentiality and integrity. The vulnerability was publicly disclosed on February 9, 2026, and patches were released in versions 4.16.18 and 5.8.22. No known exploits have been reported in the wild to date. The vulnerability could be leveraged for session hijacking, defacement, or delivering malicious payloads to users, potentially compromising user data or trust in affected websites.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deface websites. This can damage organizational reputation, lead to data breaches, and cause compliance issues under GDPR due to unauthorized data exposure. Since Craft CMS is used by various businesses, including e-commerce, media, and government portals, the impact could extend to critical services and sensitive user information. The vulnerability's exploitation does not directly affect availability but can indirectly disrupt services through reputational damage or targeted attacks. European organizations with public-facing Craft CMS installations should consider the threat significant enough to warrant immediate remediation to prevent potential exploitation.

1. Upgrade Craft CMS installations to versions 4.16.18 or 5.8.22 or later, where the vulnerability is patched. 2. Implement strict input validation on the Prefix and Suffix fields to reject or sanitize any potentially malicious input before storage. 3. Avoid using the raw Twig filter for rendering user-controllable input; instead, use proper escaping mechanisms provided by Twig to neutralize scripts. 4. Conduct regular security audits and code reviews focusing on template rendering and input handling. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6. Monitor web application logs and user reports for suspicious activities indicative of XSS exploitation attempts. 7. Educate developers and content managers about secure handling of user input and the risks of stored XSS. 8. If immediate patching is not feasible, consider disabling or restricting the use of the Number field type settings that utilize Prefix and Suffix fields until patched.