CVE-2026-25483

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*

History

17 Jun 2026, 10:24

Type Values Removed Values Added
Summary
  • (es) Craft Commerce es una plataforma de comercio electrónico para Craft CMS. En las versiones desde la 4.0.0-RC1 hasta la 4.10.0 y desde la 5.0.0 hasta la 5.5.1, existe una vulnerabilidad de XSS almacenado en el Mensaje de Historial de Estado de Pedido de Craft Commerce. El mensaje se renderiza usando el filtro |md, que permite HTML sin procesar, posibilitando la ejecución de scripts maliciosos. Si un usuario tiene permisos de utilidad de copia de seguridad de la base de datos (que no requieren una sesión elevada), un atacante puede exfiltrar la base de datos completa, incluyendo todas las credenciales de usuario, PII del cliente, historial de pedidos y códigos de recuperación 2FA. Este problema ha sido parcheado en las versiones 4.10.1 y 5.5.2.
References () https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 - Exploit, Vendor Advisory, Patch () https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 - Exploit, Patch, Vendor Advisory

10 Feb 2026, 17:52

Type Values Removed Values Added
References () https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c - () https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c - Patch
References () https://github.com/craftcms/commerce/releases/tag/4.10.1 - () https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes
References () https://github.com/craftcms/commerce/releases/tag/5.5.2 - () https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes
References () https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 - () https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 - Exploit, Vendor Advisory, Patch
CPE cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
First Time Craftcms
Craftcms craft Commerce

03 Feb 2026, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-02-03 19:16

Updated : 2026-06-17 10:24


NVD link : CVE-2026-25483

Mitre link : CVE-2026-25483

CVE.ORG link : CVE-2026-25483


JSON object : View

Products Affected

craftcms

  • craft_commerce
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')