CVE-2026-25488

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee	Patch
https://github.com/craftcms/commerce/releases/tag/4.10.1	Release Notes
https://github.com/craftcms/commerce/releases/tag/5.5.2	Release Notes
https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::*

History

10 Feb 2026, 18:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::* cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::* cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
First Time		Craftcms Craftcms craft Commerce
References	~~() https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee -~~	() https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee - Patch
References	~~() https://github.com/craftcms/commerce/releases/tag/4.10.1 -~~	() https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes
References	~~() https://github.com/craftcms/commerce/releases/tag/5.5.2 -~~	() https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes
References	~~() https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8 -~~	() https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8 - Exploit, Vendor Advisory

03 Feb 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-03 19:16

Updated : 2026-02-10 18:10

NVD link : CVE-2026-25488

Mitre link : CVE-2026-25488

CVE.ORG link : CVE-2026-25488

JSON object : View

Products Affected

craftcms

craft_commerce

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10