Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in administrative Tax Category fields can lead to privilege escalation or session hijacking when an attacker injects malicious JavaScript that runs in an administrator’s browser.
Action: Patch
AI Analysis

Impact

Craft Commerce versions 4.0.0‑RC1 through 4.10.0 and 5.0.0 through 5.5.1 allow stored XSS via the Name and Description fields of Tax Categories in the Store Management section. The input in these fields is not sanitized before being rendered in the admin panel, enabling an attacker to inject JavaScript that executes with the privileges of the logged‑in administrator. An attacker could steal session cookies, gain elevated access, or modify site content, providing a foothold for broader compromise.

Affected Systems

Affected vendors include CraftCMS Commerce. In particular, Craft Commerce releases 4.0.0‑RC1 to 4.10.0 and 5.0.0 to 5.5.1 are vulnerable. The vulnerability is fixed in releases 4.10.1 and 5.5.2 and later. All other versions are unaffected.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low, and the item is not listed in the CISA KEV catalog. Exploitation requires the attacker to either authenticate as an administrator or otherwise find a path to edit Tax Category entries; thus it is likely to be limited to compromised or vulnerable admin accounts. If the attacker gains such access, arbitrary JavaScript execution could lead to credential theft and privilege escalation within the Craft CMS environment.

Generated by OpenCVE AI on April 18, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 4.10.1, 5.5.2, or later to remove the unsanitized input handling.
  • Limit the ability to edit Tax Category Name and Description fields to a minimal set of trusted administrator roles to reduce the attack surface.
  • Deploy a Content Security Policy that disallows inline scripts and limits script execution in the administrative interface, thereby mitigating the impact of any remaining stored XSS payloads.

Generated by OpenCVE AI on April 18, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p6w8-q63m-72c8 Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:13:48.706Z

Reserved: 2026-02-02T16:31:35.823Z

Link: CVE-2026-25488

cve-icon Vulnrichment

Updated: 2026-02-04T21:13:45.457Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.517

Modified: 2026-02-10T18:10:27.177

Link: CVE-2026-25488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses