Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Stored XSS in Craft Commerce Tax Zone fields
Action: Immediate Patch
AI Analysis

Impact

Craft Commerce versions 4.0.0‑RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored cross‑site scripting flaw that arises when the Name or Description fields of Tax Zones are not properly sanitized. When an attacker injects malicious JavaScript into these fields, the code is executed in the browser of anyone who views the tax zone entries in the administrator control panel. This can allow session theft, phishing, or other malicious actions within the admin interface, effectively leading to privilege escalation or abuse of administrative privileges.

Affected Systems

The vulnerability affects all installations of Craft CMS Commerce in the affected version ranges. Vendors include Craft CMS under the product name Craft Commerce. The impacted versions are 4.0.0‑RC1 to 4.10.0 and 5.0.0 to 5.5.1. Any deployment using those releases should verify the current version and assess whether the vulnerable tax zone data has been stored.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, while the EPSS score of less than 1% shows a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require access to the administrator console, either through pre‑existing administrative credentials or successful compromise of an admin account, to submit malicious payloads into the vulnerable fields.

Generated by OpenCVE AI on April 18, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 4.10.1 or newer, or to 5.5.2 or newer, to apply the vendor patch.
  • If an upgrade cannot be performed immediately, restrict admin console access to trusted administrators only and monitor for suspicious content in Tax Zone Name and Description fields.
  • After applying the patch, review and sanitize existing Tax Zone entries to remove any embedded scripts that may still be stored in the database.

Generated by OpenCVE AI on April 18, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v585-mf6r-rqrc Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T20:34:09.676Z

Reserved: 2026-02-02T16:31:35.823Z

Link: CVE-2026-25489

cve-icon Vulnrichment

Updated: 2026-02-03T20:32:06.758Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.667

Modified: 2026-02-10T18:08:57.537

Link: CVE-2026-25489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses