What is the CVSS score of CVE-2026-25483?

CVE-2026-25483 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Craft Commerce are affected by CVE-2026-25483?

Organizations using Craft Commerce should be aware of moderate risk from CVE-2026-25483, a cross-site scripting vulnerability rated CVSS 5.4.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25483?

Yes, a public proof-of-concept exploit is available for CVE-2026-25483. Prioritise patching immediately. EPSS: 0.0%.

Craft Commerce CVE-2026-25483

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-02-03 security-advisories@github.com

GHSA-8478-rmjg-mjj5

XSS Craft Commerce

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 10, 2026 - 17:52 vuln.today

Public exploit code

Patch released

Feb 10, 2026 - 17:52 nvd

Patch available

CVE Published

Feb 03, 2026 - 19:16 nvd

MEDIUM 5.4

DescriptionNVD

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

AnalysisAI

Stored XSS in Craft Commerce's Order Status History Message (versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1) allows authenticated attackers with database backup permissions to inject malicious scripts that execute in the context of other users' browsers. Public exploit code exists for this vulnerability, enabling attackers to exfiltrate sensitive data including user credentials, customer PII, order history, and 2FA recovery codes. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25483 vulnerability details – vuln.today

Back