CVE-2026-25485 - Vulnerability Details

- Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Description

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Published: 2026-02-03

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Craft Commerce, the e‑commerce platform for Craft CMS, contains a stored XSS flaw that allows injected JavaScript to run within an administrator’s browser when the Shipping Categories Name or Description fields are viewed. The vulnerability stems from inadequate sanitization before rendering. Successful exploitation permits an attacker to hijack admin sessions, deface content, or broaden their influence over the site’s data, potentially leading to full administrative control.

Affected Systems

The flaw affects Craft CMS Commerce versions 4.0.0‑RC1 through 4.10.0 and 5.0.0 through 5.5.1, covering all installations of the Shipping Categories feature presented in the Store Management panel.

Risk and Exploitability

The CVSS score of 6.2 denotes medium severity and the EPSS score of less than 1% indicates a very low yet non‑zero probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description it is inferred that the attack vector requires the attacker to create or modify a Shipping Category via the admin interface, after which the malicious script executes on subsequent admin‑panel views. Successful exploitation would most likely rely on existing administrative credentials or a compromise of a user with category‑creation rights.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

craftcms

commerce

affected

Version	Status	Constraints
`>= 4.0.0-RC1, < 4.10.1`	affected	—
`>= 5.0.0, < 5.5.2`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::*
	cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::*

No data.

Vendor	Product	Confidence	Versions
Craftcms	Commerce	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Craft Commerce to the latest released versions (4.10.1 or 5.5.2 or later).
Audit existing Shipping Category names and descriptions for unexpected code and remove any that contain malicious scripts.
Restrict the ability to edit Shipping Categories to trusted administrators and enable detailed audit logging to detect unauthorized changes.

Generated by OpenCVE AI on April 18, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w8gw-qm8p-j9j3	Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3

History

Tue, 10 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Craftcms craft Commerce
CPEs		cpe:2.3:a:craftcms:craft_commerce::::::craft_cms::* cpe:2.3:a:craftcms:craft_commerce:4.0.0:-::::craft_cms::* cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1::::craft_cms::*
Vendors & Products		Craftcms craft Commerce
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}`

Wed, 04 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Craftcms Craftcms commerce
Vendors & Products		Craftcms Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Title		Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Weaknesses		CWE-79
References		https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3
Metrics		cvssV4_0 `{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

Craftcms Commerce Craft Commerce

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-03T18:06:45.900Z

Updated: 2026-02-04T16:51:07.751Z

Reserved: 2026-02-02T16:31:35.822Z

Link: CVE-2026-25485

Vulnrichment

Updated: 2026-02-04T15:46:18.308Z

NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.040

Modified: 2026-02-10T18:12:38.437

Link: CVE-2026-25485

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object