What is the CVSS score of CVE-2026-25487?

CVE-2026-25487 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Craft Commerce are affected by CVE-2026-25487?

Organizations using Craft Commerce should be aware of moderate risk from CVE-2026-25487, a cross-site scripting vulnerability rated CVSS 4.8.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25487?

Yes, a public proof-of-concept exploit is available for CVE-2026-25487. Prioritise patching immediately. EPSS: 0.0%.

Craft Commerce CVE-2026-25487

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-02-03 security-advisories@github.com

GHSA-wqc5-485v-3hqh

XSS Craft Commerce

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 10, 2026 - 18:10 vuln.today

Public exploit code

Patch released

Feb 10, 2026 - 18:10 nvd

Patch available

CVE Published

Feb 03, 2026 - 19:16 nvd

MEDIUM 4.8

DescriptionNVD

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

AnalysisAI

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts via unsanitized Tax Rates name fields, enabling arbitrary JavaScript execution in other administrators' browsers. Public exploit code exists for this vulnerability. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25487 vulnerability details – vuln.today

Back