CVE-2026-25483

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c	Patch
https://github.com/craftcms/commerce/releases/tag/4.10.1	Release Notes
https://github.com/craftcms/commerce/releases/tag/5.5.2	Release Notes
https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5	Exploit Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::*

History

10 Feb 2026, 17:52

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c -~~	() https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c - Patch
References	~~() https://github.com/craftcms/commerce/releases/tag/4.10.1 -~~	() https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes
References	~~() https://github.com/craftcms/commerce/releases/tag/5.5.2 -~~	() https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes
References	~~() https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 -~~	() https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 - Exploit, Vendor Advisory, Patch
CPE		cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::* cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::* cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Craftcms Craftcms craft Commerce

03 Feb 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-03 19:16

Updated : 2026-02-10 17:52

NVD link : CVE-2026-25483

Mitre link : CVE-2026-25483

CVE.ORG link : CVE-2026-25483

JSON object : View

Products Affected

craftcms

craft_commerce

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10