Volerion logoVolerion
Volerion logoVolerion

Craft CMS Stored Cross-Site Scripting Vulnerability in Number Field Type

Vulnerability

A stored cross-site scripting (XSS) vulnerability has been identified in Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue resides in the Number field type settings, where the Prefix and Suffix fields are processed with the raw Twig filter without adequate escaping. This flaw enables script execution when the Number field is displayed on user profiles. The vulnerability has been patched in Craft CMS versions 4.16.18 and 5.8.22.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected profile.

Reproduction

To reproduce this vulnerability, log in with an admin account and navigate to the field settings. Create a new Number field and enter a script-injecting image tag in the Prefix or Suffix Text field. After saving the field, add it to a user profile. The injected script will execute when the profile is viewed.

Remediation

Users can update to Craft CMS versions 4.16.18 or 5.8.22 to address this vulnerability.

Added: Feb 9, 2026, 8:22 PM
Updated: Feb 9, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.7
exploitability
6.0
remediation
7.7
relevance
2.9
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.