Search criteria
20 vulnerabilities found for craft_commerce by craftcms
CVE-2026-25522 (GCVE-0-2026-25522)
Vulnerability from nvd – Published: 2026-02-03 18:10 – Updated: 2026-02-03 19:22
VLAI?
Title
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T19:22:16.716424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:22:34.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Zone (Name \u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:10:33.911Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-h9r9-2pxg-cx9m",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Shipping Zone (Name \u0026 Description) Fields Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25522",
"datePublished": "2026-02-03T18:10:33.911Z",
"dateReserved": "2026-02-02T18:21:42.487Z",
"dateUpdated": "2026-02-03T19:22:34.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25490 (GCVE-0-2026-25490)
Vulnerability from nvd – Published: 2026-02-03 18:09 – Updated: 2026-02-03 20:27
VLAI?
Title
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:25:17.822027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:27:49.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:09:33.290Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-wq2m-r96q-crrf",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25490",
"datePublished": "2026-02-03T18:09:33.290Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-03T20:27:49.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25489 (GCVE-0-2026-25489)
Vulnerability from nvd – Published: 2026-02-03 18:07 – Updated: 2026-02-03 20:34
VLAI?
Title
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25489",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:32:00.751102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:34:09.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Name \u0026 Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:07:40.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-v585-mf6r-rqrc",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Tax Zones (Name \u0026 Description) Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25489",
"datePublished": "2026-02-03T18:07:40.168Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-03T20:34:09.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25488 (GCVE-0-2026-25488)
Vulnerability from nvd – Published: 2026-02-03 18:07 – Updated: 2026-02-04 21:13
VLAI?
Title
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:13:40.929885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:13:48.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Tax Categories (Name \u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:07:25.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-p6w8-q63m-72c8",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Tax Categories (Name \u0026 Description) Fields Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25488",
"datePublished": "2026-02-03T18:07:25.106Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-04T21:13:48.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25487 (GCVE-0-2026-25487)
Vulnerability from nvd – Published: 2026-02-03 18:07 – Updated: 2026-02-04 21:13
VLAI?
Title
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25487",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:13:06.474772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:13:17.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u0027s browser. This occurs because the Tax Rates \u0027Name\u0027 field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:07:12.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-wqc5-485v-3hqh",
"discovery": "UNKNOWN"
},
"title": "Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25487",
"datePublished": "2026-02-03T18:07:12.401Z",
"dateReserved": "2026-02-02T16:31:35.822Z",
"dateUpdated": "2026-02-04T21:13:17.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25486 (GCVE-0-2026-25486)
Vulnerability from nvd – Published: 2026-02-03 18:06 – Updated: 2026-02-04 21:10
VLAI?
Title
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25486",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:10:07.133607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:10:12.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:06:57.014Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-g92v-wpv7-6w22",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25486",
"datePublished": "2026-02-03T18:06:57.014Z",
"dateReserved": "2026-02-02T16:31:35.822Z",
"dateUpdated": "2026-02-04T21:10:12.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25485 (GCVE-0-2026-25485)
Vulnerability from nvd – Published: 2026-02-03 18:06 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:17.061199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:07.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Categories (Name \u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:06:45.900Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-w8gw-qm8p-j9j3",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Shipping Categories (Name \u0026 Description) Fields Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25485",
"datePublished": "2026-02-03T18:06:45.900Z",
"dateReserved": "2026-02-02T16:31:35.822Z",
"dateUpdated": "2026-02-04T16:51:07.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25484 (GCVE-0-2026-25484)
Vulnerability from nvd – Published: 2026-02-03 18:06 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored XSS in Product Type Name
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:19.419646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:13.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:06:36.706Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c"
},
{
"name": "https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-2h2m-v2mg-656c",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Product Type Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25484",
"datePublished": "2026-02-03T18:06:36.706Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:13.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25483 (GCVE-0-2026-25483)
Vulnerability from nvd – Published: 2026-02-03 18:05 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:22.023688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:19.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce\u2019s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:05:49.411Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"
},
{
"name": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-8478-rmjg-mjj5",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25483",
"datePublished": "2026-02-03T18:05:49.411Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:19.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25482 (GCVE-0-2026-25482)
Vulnerability from nvd – Published: 2026-02-03 18:05 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:23.936806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:24.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \"Recent Orders\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:05:09.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"
},
{
"name": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-frj9-9rwc-pw9j",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in \"Recent Orders\" Dashboard Widget)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25482",
"datePublished": "2026-02-03T18:05:09.783Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:24.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25522 (GCVE-0-2026-25522)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:10 – Updated: 2026-02-03 19:22
VLAI?
Title
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T19:22:16.716424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:22:34.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Zone (Name \u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:10:33.911Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-h9r9-2pxg-cx9m",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Shipping Zone (Name \u0026 Description) Fields Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25522",
"datePublished": "2026-02-03T18:10:33.911Z",
"dateReserved": "2026-02-02T18:21:42.487Z",
"dateUpdated": "2026-02-03T19:22:34.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25490 (GCVE-0-2026-25490)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:09 – Updated: 2026-02-03 20:27
VLAI?
Title
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:25:17.822027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:27:49.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:09:33.290Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-wq2m-r96q-crrf",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25490",
"datePublished": "2026-02-03T18:09:33.290Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-03T20:27:49.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25489 (GCVE-0-2026-25489)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:07 – Updated: 2026-02-03 20:34
VLAI?
Title
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25489",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:32:00.751102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:34:09.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Name \u0026 Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:07:40.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-v585-mf6r-rqrc",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Tax Zones (Name \u0026 Description) Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25489",
"datePublished": "2026-02-03T18:07:40.168Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-03T20:34:09.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25488 (GCVE-0-2026-25488)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:07 – Updated: 2026-02-04 21:13
VLAI?
Title
Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:13:40.929885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:13:48.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Tax Categories (Name \u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:07:25.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-p6w8-q63m-72c8",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Tax Categories (Name \u0026 Description) Fields Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25488",
"datePublished": "2026-02-03T18:07:25.106Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-04T21:13:48.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25487 (GCVE-0-2026-25487)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:07 – Updated: 2026-02-04 21:13
VLAI?
Title
Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25487",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:13:06.474772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:13:17.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u0027s browser. This occurs because the Tax Rates \u0027Name\u0027 field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:07:12.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-wqc5-485v-3hqh",
"discovery": "UNKNOWN"
},
"title": "Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25487",
"datePublished": "2026-02-03T18:07:12.401Z",
"dateReserved": "2026-02-02T16:31:35.822Z",
"dateUpdated": "2026-02-04T21:13:17.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25486 (GCVE-0-2026-25486)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:06 – Updated: 2026-02-04 21:10
VLAI?
Title
Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25486",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:10:07.133607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:10:12.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:06:57.014Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-g92v-wpv7-6w22",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25486",
"datePublished": "2026-02-03T18:06:57.014Z",
"dateReserved": "2026-02-02T16:31:35.822Z",
"dateUpdated": "2026-02-04T21:10:12.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25485 (GCVE-0-2026-25485)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:06 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:17.061199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:07.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Categories (Name \u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:06:45.900Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-w8gw-qm8p-j9j3",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Shipping Categories (Name \u0026 Description) Fields Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25485",
"datePublished": "2026-02-03T18:06:45.900Z",
"dateReserved": "2026-02-02T16:31:35.822Z",
"dateUpdated": "2026-02-04T16:51:07.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25484 (GCVE-0-2026-25484)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:06 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored XSS in Product Type Name
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:19.419646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:13.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:06:36.706Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c"
},
{
"name": "https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-2h2m-v2mg-656c",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Product Type Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25484",
"datePublished": "2026-02-03T18:06:36.706Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:13.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25483 (GCVE-0-2026-25483)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:05 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:22.023688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:19.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce\u2019s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:05:49.411Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"
},
{
"name": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-8478-rmjg-mjj5",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25483",
"datePublished": "2026-02-03T18:05:49.411Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:19.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25482 (GCVE-0-2026-25482)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:05 – Updated: 2026-02-04 16:51
VLAI?
Title
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:23.936806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:24.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \"Recent Orders\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:05:09.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"
},
{
"name": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-frj9-9rwc-pw9j",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in \"Recent Orders\" Dashboard Widget)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25482",
"datePublished": "2026-02-03T18:05:09.783Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:24.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}