Skip to main content

Craft Commerce CVE-2026-25483

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-02-03 security-advisories@github.com GHSA-8478-rmjg-mjj5
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Feb 10, 2026 - 17:52 vuln.today
Public exploit code
Patch released
Feb 10, 2026 - 17:52 nvd
Patch available
CVE Published
Feb 03, 2026 - 19:16 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

AnalysisAI

Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1) allows authenticated attackers with database backup permissions to inject malicious scripts that execute in the context of other users' browsers. Public exploit code exists for this vulnerability, enabling attackers to exfiltrate sensitive data including user credentials, customer PII, order history, and 2FA recovery codes. Patches are available in versions 4.10.1 and 5.5.2.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Craft Commerce. Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, orde

RemediationAI

A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2026-29172 HIGH POC
8.8 Mar 10

SQL injection in Craft Commerce's purchasables endpoint allows authenticated attackers to manipulate the sort parameter

CVE-2026-29174 HIGH POC
8.8 Mar 10

Craft Commerce versions prior to 5.5.3 contain an SQL injection vulnerability in the inventory levels endpoint where sor

CVE-2026-29175 MEDIUM POC
5.4 Mar 10

Craft Commerce versions before 5.5.3 contain stored cross-site scripting (XSS) vulnerabilities in the inventory manageme

CVE-2026-29177 MEDIUM POC
5.4 Mar 10

Stored XSS in Craft Commerce Order details allows authenticated users to inject malicious scripts through Shipping Metho

CVE-2026-25488 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with h

CVE-2026-25487 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with h

CVE-2026-25486 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce versions 5.0.0 through 5.5.1 permits authenticated attackers with administrative privileges

CVE-2026-25522 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p

CVE-2026-25482 MEDIUM POC
4.8 Feb 03

Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored DOM-based XSS vulnerability in

CVE-2026-25490 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p

CVE-2026-25489 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high p

CVE-2026-25485 MEDIUM POC
4.8 Feb 03

Stored XSS in Craft Commerce shipping category fields allows authenticated attackers with high privileges to inject mali

Share

CVE-2026-25483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy