Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS with potential database exfiltration
Action: Purge now
AI Analysis

Impact

Craft Commerce exposes a stored cross‑site scripting flaw in the Order Status History Message. The message is processed with the |md filter, which accepts raw HTML, so a malicious script can be embedded and executed whenever the message is viewed in a browser. This can compromise user credentials, customer personal data, order history, and even two‑factor recovery codes if the attacker also has backup‑utility permissions. The vulnerability represents a moderate severity threat; the script execution alone allows session hijacking and data theft, while the added backup‑utility access enables full database exfiltration.

Affected Systems

Affected products are Craft CMS Commerce from the 4.x series (4.0.0‑RC1 to 4.10.0) and from the 5.x series (5.0.0 to 5.5.1). The vulnerability is resolved in releases 4.10.1 and 5.5.2.

Risk and Exploitability

The CVSS score is 6.2 and the EPSS is below 1 %, indicating a moderate technical severity but a low likelihood of observed exploitation. The flaw can be exploited by any authenticated user able to edit order status messages, even without elevated permissions, and a separate prerequisite—holding the database backup utility permission—enables the attacker to extract the entire database. Because the attack requires authenticated access to the backend, the risk depends on the organization’s role‑based access controls.

Generated by OpenCVE AI on April 18, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 4.10.1 or newer, or 5.5.2 or newer; this resolves the stored XSS and the backup‑utility exploitation path.
  • If an upgrade is not yet possible, configure the CMS to sanitize or strip HTML from order status messages, effectively disabling the |md filter functionality for that field.
  • Review and revoke database backup‑utility permissions for any roles that do not require it, reducing the impact window for potential data exfiltration.

Generated by OpenCVE AI on April 18, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8478-rmjg-mjj5 Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
History

Tue, 10 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:51:19.008Z

Reserved: 2026-02-02T16:31:35.821Z

Link: CVE-2026-25483

cve-icon Vulnrichment

Updated: 2026-02-04T15:46:23.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:25.717

Modified: 2026-02-10T17:52:55.530

Link: CVE-2026-25483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses