CVE-2026-25490

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*

History

17 Jun 2026, 10:24

Type Values Removed Values Added
Summary
  • (es) Craft Commerce es una plataforma de comercio electrónico para Craft CMS. En las versiones desde la 4.0.0-RC1 hasta la 4.10.0 y desde la 5.0.0 hasta la 5.5.1, una vulnerabilidad XSS almacenada en Craft Commerce permite a los atacantes ejecutar JavaScript malicioso en el navegador de un administrador. Esto ocurre porque el campo 'Línea de dirección 1' en Ubicaciones de inventario no se sanea correctamente antes de ser mostrado en el panel de administración. Este problema ha sido parcheado en las versiones 4.10.1 y 5.5.2.

10 Feb 2026, 18:08

Type Values Removed Values Added
References () https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee - () https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee - Patch
References () https://github.com/craftcms/commerce/releases/tag/4.10.1 - () https://github.com/craftcms/commerce/releases/tag/4.10.1 - Release Notes
References () https://github.com/craftcms/commerce/releases/tag/5.5.2 - () https://github.com/craftcms/commerce/releases/tag/5.5.2 - Release Notes
References () https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf - () https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.8
CPE cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
First Time Craftcms
Craftcms craft Commerce

03 Feb 2026, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-02-03 19:16

Updated : 2026-06-17 10:24


NVD link : CVE-2026-25490

Mitre link : CVE-2026-25490

CVE.ORG link : CVE-2026-25490


JSON object : View

Products Affected

craftcms

  • craft_commerce
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')