Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting potentially leading to privilege escalation
Action: Patch Now
AI Analysis

Impact

Craft Commerce allows malicious JavaScript to be stored in the Address Line 1 field of Inventory Locations because input is not sanitized before display in the admin interface. This stored XSS flaw is a CWE‑79 vulnerability that lets an attacker execute code in an administrator’s browser, potentially compromising the admin’s session, extracting credentials, or performing other malicious actions within the Craft CMS backend.

Affected Systems

The affected product is Craft Commerce for Craft CMS. Versions 4.0.0‑RC1 through 4.10.0 inclusive, and 5.0.0 through 5.5.1 inclusive are vulnerable. The flaw is patched in 4.10.1 and 5.5.2 and later releases.

Risk and Exploitability

The vulnerability carries a moderate CVSS score of 6.1 and a very low EPSS score of less than 1 %, indicating limited exploitation likelihood at present. It is not listed in the CISA KEV catalogue. The attack requires the ability to insert or modify an inventory location’s address field, which, based on the description, is inferred to require authenticated administrative access. Once the malicious script is stored, any administrator who views the inventory location will have the script executed in their browser, enabling potential credential theft, session hijacking, or other escalation of privilege within the Craft CMS admin panel.

Generated by OpenCVE AI on April 18, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to a patched version (4.10.1 or later in the 4.x line, or 5.5.2 or later in the 5.x line).
  • Audit existing inventory location address values and remove any malicious script payloads.
  • Apply a content‑security‑policy that blocks inline JavaScript to mitigate the impact of any remaining unpatched XSS.

Generated by OpenCVE AI on April 18, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wq2m-r96q-crrf Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T20:27:49.508Z

Reserved: 2026-02-02T16:31:35.823Z

Link: CVE-2026-25490

cve-icon Vulnrichment

Updated: 2026-02-03T20:26:12.111Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.817

Modified: 2026-02-10T18:08:32.630

Link: CVE-2026-25490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses