Stored XSS Vulnerability in Craft Commerce by Craft CMS
CVE-2026-25490
6.1MEDIUM
What is CVE-2026-25490?
Craft Commerce, an e-commerce platform for Craft CMS, contains a stored XSS vulnerability that enables attackers to execute malicious JavaScript within an administrator's browser. This flaw arises from insufficient sanitization of the 'Address Line 1' field in Inventory Locations before displaying it in the admin panel. The issue affects versions 4.0.0-RC1 through 4.10.0 and 5.0.0 to 5.5.1 and has been addressed in subsequent releases 4.10.1 and 5.5.2.
Affected Version(s)
commerce >= 4.0.0-RC1, < 4.10.1 < 4.0.0-RC1, 4.10.1
commerce >= 5.0.0, < 5.5.2 < 5.0.0, 5.5.2