Stored XSS Vulnerability in Craft Commerce E-commerce Platform
CVE-2026-25485
6.2MEDIUM
What is CVE-2026-25485?
Craft Commerce, an e-commerce platform for Craft CMS, has a stored XSS vulnerability that allows attackers to execute harmful JavaScript in an administrator's browser. This vulnerability arises from insufficient sanitization of the Shipping Categories (Name & Description) fields in the Store Management section. The issue affects versions ranging from 4.0.0-RC1 to 4.10.0 and 5.0.0 to 5.5.1. Security updates have been released in versions 4.10.1 and 5.5.2 to mitigate this risk.
Affected Version(s)
commerce >= 4.0.0-RC1, < 4.10.1 < 4.0.0-RC1, 4.10.1
commerce >= 5.0.0, < 5.5.2 < 5.0.0, 5.5.2