Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in product type names
Action: Mitigate
AI Analysis

Impact

Craft Commerce stored cross‑site scripting (XSS) occurs when product type names entered by users are displayed without sanitization in CMS user permissions settings. The vulnerability allows an attacker to inject arbitrary JavaScript that executes in the context of the permission‑editing page, permitting payload execution as long as the user can edit product types and view permission settings. The injected code can lead to session hijacking, credential theft, or defacement of the admin interface.

Affected Systems

The flaw affects Craft Commerce for Craft CMS versions from 4.0.0‑RC1 through 4.10.0 and from 5.0.0 through 5.5.1. Versions 4.10.1 and 5.5.2 contain a patch that sanitizes product type names before rendering in permission settings, eliminating the stored XSS vector.

Risk and Exploitability

The CVSS v3 score is 4.8, providing medium severity, while the EPSS score is below 1%, indicating a low likelihood of public exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires access to the product‑type management interface; an attacker with that privilege can inject scripts that will run for any user who subsequently views the permissions page.

Generated by OpenCVE AI on April 18, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Craft Commerce 4.10.1 or later, or 5.5.2 or later patch to sanitize product type names.
  • If an upgrade cannot be performed immediately, delete or manually edit any product type names that contain special characters or script fragments to remove the stored payload.
  • Restrict permissions so that only trusted administrators can create or edit product types, reducing the attack surface for XSS injection.

Generated by OpenCVE AI on April 18, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2h2m-v2mg-656c Craft Commerce has Stored XSS in Product Type Name
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored XSS in Product Type Name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:51:13.282Z

Reserved: 2026-02-02T16:31:35.821Z

Link: CVE-2026-25484

cve-icon Vulnrichment

Updated: 2026-02-04T15:46:20.644Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:25.877

Modified: 2026-02-10T18:13:04.970

Link: CVE-2026-25484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses