CVE-2026-25482 (GCVE-0-2026-25482)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:05 – Updated: 2026-02-04 16:51
VLAI
Title
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/craftcms/commerce/security/adv… | x_refsource_CONFIRM |
| https://github.com/craftcms/commerce/commit/d94d1… | x_refsource_MISC |
| https://github.com/craftcms/commerce/releases/tag… | x_refsource_MISC |
| https://github.com/craftcms/commerce/releases/tag/5.5.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:23.936806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:24.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \"Recent Orders\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:05:09.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"
},
{
"name": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-frj9-9rwc-pw9j",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in \"Recent Orders\" Dashboard Widget)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25482",
"datePublished": "2026-02-03T18:05:09.783Z",
"dateReserved": "2026-02-02T16:31:35.821Z",
"dateUpdated": "2026-02-04T16:51:24.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-25482",
"date": "2026-06-29",
"epss": "0.00304",
"percentile": "0.22012"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25482\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-03T19:16:25.563\",\"lastModified\":\"2026-06-17T10:24:42.680\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \\\"Recent Orders\\\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.\"},{\"lang\":\"es\",\"value\":\"Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. En las versiones desde la 4.0.0-RC1 hasta la 4.10.0 y desde la 5.0.0 hasta la 5.5.1, existe una vulnerabilidad de XSS DOM almacenado en el widget del panel de control \u0027Pedidos Recientes\u0027. El Nombre del Estado del Pedido se renderiza mediante concatenaci\u00f3n de cadenas de JavaScript sin el escape adecuado, lo que permite la ejecuci\u00f3n de scripts cuando cualquier administrador visita el panel de control. Este problema ha sido parcheado en las versiones 4.10.1 y 5.5.2.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"craftcms\",\"product\":\"commerce\",\"versions\":[{\"version\":\"\u003e= 5.0.0, \u003c 5.5.2\",\"status\":\"affected\"},{\"version\":\"\u003e= 4.0.0-RC1, \u003c 4.10.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-04T15:46:23.936806Z\",\"id\":\"CVE-2026-25482\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"4.0.1\",\"versionEndExcluding\":\"4.10.1\",\"matchCriteriaId\":\"6EFA9347-254D-4D9E-84B1-8C0FFCC377F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.5.2\",\"matchCriteriaId\":\"65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*\",\"matchCriteriaId\":\"2B409639-1C00-4E9C-950E-77058C40A5F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*\",\"matchCriteriaId\":\"E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/commerce/releases/tag/4.10.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/commerce/releases/tag/5.5.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25482\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-04T15:46:23.936806Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-04T15:46:24.947Z\"}}], \"cna\": {\"title\": \"Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in \\\"Recent Orders\\\" Dashboard Widget)\", \"source\": {\"advisory\": \"GHSA-frj9-9rwc-pw9j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"commerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.5.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-RC1, \u003c 4.10.1\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j\", \"name\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65\", \"name\": \"https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/releases/tag/4.10.1\", \"name\": \"https://github.com/craftcms/commerce/releases/tag/4.10.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/releases/tag/5.5.2\", \"name\": \"https://github.com/craftcms/commerce/releases/tag/5.5.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \\\"Recent Orders\\\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-03T18:05:09.783Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25482\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-04T16:51:24.031Z\", \"dateReserved\": \"2026-02-02T16:31:35.821Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-03T18:05:09.783Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-25482
Vulnerability from fkie_nvd - Published: 2026-02-03 19:16 - Updated: 2026-06-17 10:24
Severity
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftcms | craft_commerce | * | |
| craftcms | craft_commerce | * | |
| craftcms | craft_commerce | 4.0.0 | |
| craftcms | craft_commerce | 4.0.0 |
{
"affected": [
{
"affectedData": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "6EFA9347-254D-4D9E-84B1-8C0FFCC377F9",
"versionEndExcluding": "4.10.1",
"versionStartIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B",
"versionEndExcluding": "5.5.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*",
"matchCriteriaId": "2B409639-1C00-4E9C-950E-77058C40A5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*",
"matchCriteriaId": "E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the \"Recent Orders\" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2."
},
{
"lang": "es",
"value": "Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. En las versiones desde la 4.0.0-RC1 hasta la 4.10.0 y desde la 5.0.0 hasta la 5.5.1, existe una vulnerabilidad de XSS DOM almacenado en el widget del panel de control \u0027Pedidos Recientes\u0027. El Nombre del Estado del Pedido se renderiza mediante concatenaci\u00f3n de cadenas de JavaScript sin el escape adecuado, lo que permite la ejecuci\u00f3n de scripts cuando cualquier administrador visita el panel de control. Este problema ha sido parcheado en las versiones 4.10.1 y 5.5.2."
}
],
"id": "CVE-2026-25482",
"lastModified": "2026-06-17T10:24:42.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-25482",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:23.936806Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-02-03T19:16:25.563",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-FRJ9-9RWC-PW9J
Vulnerability from github – Published: 2026-02-02 22:41 – Updated: 2026-02-03 21:39
VLAI
Summary
Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
Details
Summary
A stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard.
Users are recommended to update to the patched 5.5.2 release to mitigate the issue.
Proof of Concept
Required Permissions
- Admin access (to edit/create Order Statuses)
Steps to Reproduce
- Log in with an admin account
- Navigate to Commerce → Settings → Order Statuses
- Create new order status (e.g., "Pending")
- Set the Name field to:
<img src=x onerror="alert('Order Statuses XSS')" hidden>
- Save the order status
- Go to Commerce Orders & make some orders with different statuses (e.g. "New" & "the malicious created status")
- Go to the Dashboard (
/admin/dashboard) & Add "Recent Orders" widget and pick the same 2 statuses for orders - Notice the XSS execution
Technical Details
File: vendor/craftcms/commerce/src/templates/_components/widgets/orders/recent/body.twig
Root Cause: value.name (the Order Status Name) is concatenated directly into the HTML string without sanitization. When JavaScript inserts this HTML into the DOM, any malicious tags/scripts in the name are executed.
Mitigation
Use Craft.escapeHtml() in the callback:
callback: function(value) {
return '<span class="commerceStatusLabel"><span class="status ' + Craft.escapeHtml(value.color) + '"></span>' + Craft.escapeHtml(value.name) + '</span>';
}
Resources:
https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.5.1"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.10.0"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25482"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T22:41:44Z",
"nvd_published_at": "2026-02-03T19:16:25Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA stored DOM XSS vulnerability exists in the **\"Recent Orders\"** dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard.\n\nUsers are recommended to update to the patched 5.5.2 release to mitigate the issue.\n\n---\n## Proof of Concept\n\n### Required Permissions\n\n- Admin access (to edit/create Order Statuses)\n\n### Steps to Reproduce\n1. Log in with an admin account\n2. Navigate to **Commerce** \u2192 **Settings** \u2192 **Order Statuses**\n3. Create new order status (e.g., \"Pending\")\n4. Set the **Name** field to:\n```html\n\u003cimg src=x onerror=\"alert(\u0027Order Statuses XSS\u0027)\" hidden\u003e\n```\n5. Save the order status\n6. Go to Commerce Orders \u0026 make some orders with different statuses (e.g. \"New\" \u0026 \"the malicious created status\")\n7. Go to the Dashboard (`/admin/dashboard`) \u0026 Add **\"Recent Orders\"** widget and pick the same 2 statuses for orders\n8. Notice the XSS execution \u003cimg width=\"1491\" height=\"568\" alt=\"xss-execution-in-dashboard\" src=\"https://github.com/user-attachments/assets/84e8b121-30b9-4029-93be-e90009b6897e\" /\u003e\n\n\n---\n## Technical Details\n\n**File:** `vendor/craftcms/commerce/src/templates/_components/widgets/orders/recent/body.twig`\n\n**Root Cause:** `value.name` (the Order Status Name) is concatenated directly into the HTML string without sanitization. When JavaScript inserts this HTML into the DOM, any malicious tags/scripts in the name are executed.\u003cimg width=\"1780\" height=\"858\" alt=\"vulnerable-code\" src=\"https://github.com/user-attachments/assets/b150ee9d-c072-4987-b506-81a29c23d84b\" /\u003e\n\n---\n## Mitigation\nUse `Craft.escapeHtml()` in the callback:\n```javascript\ncallback: function(value) {\n return \u0027\u003cspan class=\"commerceStatusLabel\"\u003e\u003cspan class=\"status \u0027 + Craft.escapeHtml(value.color) + \u0027\"\u003e\u003c/span\u003e\u0027 + Craft.escapeHtml(value.name) + \u0027\u003c/span\u003e\u0027;\n}\n```\n\n## Resources:\n\nhttps://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65",
"id": "GHSA-frj9-9rwc-pw9j",
"modified": "2026-02-03T21:39:52Z",
"published": "2026-02-02T22:41:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25482"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/commerce"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in \"Recent Orders\" Dashboard Widget)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…