Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
References
| Link | Resource |
|---|---|
| https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65 | Patch |
| https://github.com/craftcms/commerce/releases/tag/4.10.1 | Release Notes |
| https://github.com/craftcms/commerce/releases/tag/5.5.2 | Release Notes |
| https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
10 Feb 2026, 18:13
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
| First Time |
Craftcms
Craftcms craft Commerce |
|
| CPE | cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:* cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:* cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:* |
|
| References | () https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65 - Patch | |
| References | () https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes | |
| References | () https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes | |
| References | () https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j - Exploit, Vendor Advisory |
03 Feb 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-03 19:16
Updated : 2026-02-10 18:13
NVD link : CVE-2026-25482
Mitre link : CVE-2026-25482
CVE.ORG link : CVE-2026-25482
JSON object : View
Products Affected
craftcms
- craft_commerce
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')