CVE-2026-25487

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee	Patch
https://github.com/craftcms/commerce/releases/tag/4.10.1	Release Notes
https://github.com/craftcms/commerce/releases/tag/5.5.2	Release Notes
https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::*

History

No history.

Information

Published : 2026-02-03 19:16

Updated : 2026-02-10 18:10

NVD link : CVE-2026-25487

Mitre link : CVE-2026-25487

CVE.ORG link : CVE-2026-25487

JSON object : View

Products Affected

craftcms

craft_commerce

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-25487", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-03T19:16:26.360", "references": [{"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."}, {"lang": "es", "value": "Craft Commerce es una plataforma de comercio electr\u00f3nico para Craft CMS. En las versiones desde la 4.0.0-RC1 hasta la 4.10.0 y desde la 5.0.0 hasta la 5.5.1, una vulnerabilidad de XSS almacenado en Craft Commerce permite a los atacantes ejecutar JavaScript malicioso en el navegador de un administrador. Esto ocurre porque el campo 'Name' de las Tasas de Impuestos en la secci\u00f3n de Gesti\u00f3n de la Tienda no se sanea correctamente antes de mostrarse en el panel de administraci\u00f3n. Este problema ha sido parcheado en las versiones 4.10.1 y 5.5.2."}], "lastModified": "2026-02-10T18:10:55.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "vulnerable": true, "matchCriteriaId": "6EFA9347-254D-4D9E-84B1-8C0FFCC377F9", "versionEndExcluding": "4.10.1", "versionStartIncluding": "4.0.1"}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*", "vulnerable": true, "matchCriteriaId": "65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B", "versionEndExcluding": "5.5.2", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*", "vulnerable": true, "matchCriteriaId": "2B409639-1C00-4E9C-950E-77058C40A5F1"}, {"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*", "vulnerable": true, "matchCriteriaId": "E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}