Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting capable of escalating privileges to administrators
Action: Immediate Patch
AI Analysis

Impact

Craft Commerce includes a stored cross‑site scripting flaw in the Shipping Zone Name and Description fields. Attackers can inject malicious JavaScript that is rendered unchanged when an administrator views the shipping zone records. This vulnerability enables attackers to steal session cookies, perform actions in the context of the logged‑in admin, and potentially gain broader access to the site. The primary impact is accidental execution of arbitrary scripts in the privileged administrator’s browser, undermining confidentiality and integrity of administrative sessions. The weakness is identified as CWE‑79.

Affected Systems

Craft CMS Commerce versions 4.0.0‑RC1 through 4.10.0 and 5.0.0 through 5.5.1 are affected. The defect was patched in Craft Commerce 4.10.1 and subsequent 5.x releases starting at 5.5.2.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, and an EPSS probability of less than one percent suggests the vulnerability is unlikely to be widely exploited in the near term. Craft CMS Commerce is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers must first obtain the ability to write to a shipping zone—typically by having administrator privileges or by compromising an account with such rights. Once the payload is stored, any later admin visitor triggers the script. Since the flaw exploits input validation and output escaping, it is relatively straightforward for an attacker to inject malicious JavaScript if the required write access is obtained.

Generated by OpenCVE AI on April 18, 2026 at 00:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 4.10.1 or later for the 4.x series, or to version 5.5.2 or later for the 5.x series, following the vendor releases linked above.
  • If an upgrade is not immediately possible, restrict access to Shipping Zone creation and editing to a minimal set of trusted administrators or disable the feature entirely until a patch can be applied.
  • Ensure that the Shipping Zone Name and Description fields are properly sanitized and escaped before display, or implement server‑side validation to reject script tags and other executable content.

Generated by OpenCVE AI on April 18, 2026 at 00:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h9r9-2pxg-cx9m Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
History

Wed, 18 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T19:22:34.780Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25522

cve-icon Vulnrichment

Updated: 2026-02-03T19:22:24.431Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:27.290

Modified: 2026-02-18T16:14:46.673

Link: CVE-2026-25522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses