CVE-2026-25491

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Published Feb 10, 2026

https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr

CVSS ScoreMedium

4.8

Ecosystem	Package	Version

Ecosystem	Package	Version

Vulnerabilities

CVE-2026-25491

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

Published Feb 10, 2026

https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr

CVSS ScoreMedium

4.8


composer	craftcms/cms	5.0.0-RC1
composer	craftcms/cms	5.0.0
composer	craftcms/cms	5.0.1
composer	craftcms/cms	5.0.2
composer	craftcms/cms	5.0.3
composer	craftcms/cms	5.0.4
composer	craftcms/cms	5.0.5
composer	craftcms/cms	5.0.6
composer	craftcms/cms	5.1.0
composer	craftcms/cms	5.1.10
composer	craftcms/cms	5.1.1
composer	craftcms/cms	5.1.2
composer	craftcms/cms	5.1.3
composer	craftcms/cms	5.1.4
composer	craftcms/cms	5.1.5
composer	craftcms/cms	5.1.6
composer	craftcms/cms	5.1.7
composer	craftcms/cms	5.1.8
composer	craftcms/cms	5.1.9
composer	craftcms/cms	5.2.0-beta.1
composer	craftcms/cms	5.2.0-beta.2
composer	craftcms/cms	5.2.0-beta.3
composer	craftcms/cms	5.2.0-beta.4
composer	craftcms/cms	5.2.0-beta.5
composer	craftcms/cms	5.2.0-beta.6
composer	craftcms/cms	5.2.0
composer	craftcms/cms	5.2.10
composer	craftcms/cms	5.2.1
composer	craftcms/cms	5.2.2
composer	craftcms/cms	5.2.3
composer	craftcms/cms	5.2.4.1
composer	craftcms/cms	5.2.4
composer	craftcms/cms	5.2.5
composer	craftcms/cms	5.2.6
composer	craftcms/cms	5.2.7
composer	craftcms/cms	5.2.8
composer	craftcms/cms	5.2.9
composer	craftcms/cms	5.3.0-beta.1
composer	craftcms/cms	5.3.0-beta.2
composer	craftcms/cms	5.3.0.1
composer	craftcms/cms	5.3.0.2
composer	craftcms/cms	5.3.0.3
composer	craftcms/cms	5.3.0
composer	craftcms/cms	5.3.1
composer	craftcms/cms	5.3.2
composer	craftcms/cms	5.3.3
composer	craftcms/cms	5.3.4
composer	craftcms/cms	5.3.5
composer	craftcms/cms	5.3.6
composer	craftcms/cms	5.4.0.1

Ecosystem	Package	Version


composer	craftcms/cms	5.0.0-RC1
composer	craftcms/cms	5.0.0
composer	craftcms/cms	5.0.1
composer	craftcms/cms	5.0.2
composer	craftcms/cms	5.0.3
composer	craftcms/cms	5.0.4
composer	craftcms/cms	5.0.5
composer	craftcms/cms	5.0.6
composer	craftcms/cms	5.1.0
composer	craftcms/cms	5.1.10
composer	craftcms/cms	5.1.1
composer	craftcms/cms	5.1.2
composer	craftcms/cms	5.1.3
composer	craftcms/cms	5.1.4
composer	craftcms/cms	5.1.5
composer	craftcms/cms	5.1.6
composer	craftcms/cms	5.1.7
composer	craftcms/cms	5.1.8
composer	craftcms/cms	5.1.9
composer	craftcms/cms	5.2.0-beta.1
composer	craftcms/cms	5.2.0-beta.2
composer	craftcms/cms	5.2.0-beta.3
composer	craftcms/cms	5.2.0-beta.4
composer	craftcms/cms	5.2.0-beta.5
composer	craftcms/cms	5.2.0-beta.6
composer	craftcms/cms	5.2.0
composer	craftcms/cms	5.2.10
composer	craftcms/cms	5.2.1
composer	craftcms/cms	5.2.2
composer	craftcms/cms	5.2.3
composer	craftcms/cms	5.2.4.1
composer	craftcms/cms	5.2.4
composer	craftcms/cms	5.2.5
composer	craftcms/cms	5.2.6
composer	craftcms/cms	5.2.7
composer	craftcms/cms	5.2.8
composer	craftcms/cms	5.2.9
composer	craftcms/cms	5.3.0-beta.1
composer	craftcms/cms	5.3.0-beta.2
composer	craftcms/cms	5.3.0.1
composer	craftcms/cms	5.3.0.2
composer	craftcms/cms	5.3.0.3
composer	craftcms/cms	5.3.0
composer	craftcms/cms	5.3.1
composer	craftcms/cms	5.3.2
composer	craftcms/cms	5.3.3
composer	craftcms/cms	5.3.4
composer	craftcms/cms	5.3.5
composer	craftcms/cms	5.3.6
composer	craftcms/cms	5.4.0.1

Find vulnerabilities. Fix fast with AI.

CVE-2026-25491

CVE-2026-25491