GHSA-7pr4-wx9w-mqwr | Mondoo Vulnerability Intelligence

GHSA-7pr4-wx9w-mqwr

LOW1.9

Craft CMS Vulnerable to Stored XSS in Entry Types Name

Published Feb 9, 2026

Modified 1 months ago

Fix available

Details

Summary

Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.

Proof of Concept

Required Permissions (Attacker)

Admin access (only admins have access to the settings page)
allowAdminChanges is enabled in production, which is against our security recommendations.

Steps to Reproduce

Log in as an attacker.
Go to Settings -> Entry Types (/admin/settings/entry-types).
Create a new Entry Type.
Set Name to:

<img src=x onerror="alert('XSS-EntryTypes')" hidden>

Save the Entry Type, and you’ll be redirected back to the entry types table automatically.
Notice the alert fires when the entry types table renders.

Affected Packages

craftcms/cms

Packagist

Fixed in:

5.8.22

References

https://github.com/advisories/GHSA-7pr4-wx9w-mqwr

https://github.com/craftcms/cms

https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4

https://github.com/craftcms/cms/releases/tag/5.8.22

https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr

https://nvd.nist.gov/vuln/detail/CVE-2026-25491

Aliases

CVSS Analysis

CVSS v4.0

1.9

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

HighPR:H

User Interaction

PassiveUI:P

Vulnerable System

Vuln. Confidentiality

LowVC:L

Vuln. Integrity

LowVI:L

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

1.9/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related

Ecosystems

Timeline

PublishedFeb 9, 2026

ModifiedFeb 9, 2026