CVE-2026-25485
MEDIUM
GHSA-w8gw-qm8p-j9j3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Tags
Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Analysis
Stored XSS in Craft Commerce shipping category fields allows authenticated attackers with high privileges to inject malicious scripts that execute in administrators' browsers, affecting versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The vulnerability stems from insufficient sanitization of the Name and Description fields in the Store Management section before display in the admin panel. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today