Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
References
| Link | Resource |
|---|---|
| https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c | Patch |
| https://github.com/craftcms/commerce/releases/tag/4.10.1 | Release Notes |
| https://github.com/craftcms/commerce/releases/tag/5.5.2 | Release Notes |
| https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
10 Feb 2026, 18:13
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c - Patch | |
| References | () https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes | |
| References | () https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes | |
| References | () https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c - Exploit, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
| First Time |
Craftcms
Craftcms craft Commerce |
|
| CPE | cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:* cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:* cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:* |
03 Feb 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-03 19:16
Updated : 2026-02-10 18:13
NVD link : CVE-2026-25484
Mitre link : CVE-2026-25484
CVE.ORG link : CVE-2026-25484
JSON object : View
Products Affected
craftcms
- craft_commerce
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')