CVE-2026-25490 (GCVE-0-2026-25490)
Vulnerability from cvelistv5 – Published: 2026-02-03 18:09 – Updated: 2026-02-03 20:27
VLAI?
Title
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:25:17.822027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:27:49.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "commerce",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:09:33.290Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"
},
{
"name": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"source": {
"advisory": "GHSA-wq2m-r96q-crrf",
"discovery": "UNKNOWN"
},
"title": "Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25490",
"datePublished": "2026-02-03T18:09:33.290Z",
"dateReserved": "2026-02-02T16:31:35.823Z",
"dateUpdated": "2026-02-03T20:27:49.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25490\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-03T19:16:26.817\",\"lastModified\":\"2026-02-10T18:08:32.630\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"4.0.1\",\"versionEndExcluding\":\"4.10.1\",\"matchCriteriaId\":\"6EFA9347-254D-4D9E-84B1-8C0FFCC377F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.5.2\",\"matchCriteriaId\":\"65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*\",\"matchCriteriaId\":\"2B409639-1C00-4E9C-950E-77058C40A5F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*\",\"matchCriteriaId\":\"E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/commerce/releases/tag/4.10.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/commerce/releases/tag/5.5.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25490\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T20:25:17.822027Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T20:26:12.111Z\"}}], \"cna\": {\"title\": \"Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation\", \"source\": {\"advisory\": \"GHSA-wq2m-r96q-crrf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"commerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-RC1, \u003c 4.10.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.5.2\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf\", \"name\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee\", \"name\": \"https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/releases/tag/4.10.1\", \"name\": \"https://github.com/craftcms/commerce/releases/tag/4.10.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/releases/tag/5.5.2\", \"name\": \"https://github.com/craftcms/commerce/releases/tag/5.5.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-03T18:09:33.290Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25490\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T20:27:49.508Z\", \"dateReserved\": \"2026-02-02T16:31:35.823Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-03T18:09:33.290Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-WQ2M-R96Q-CRRF
Vulnerability from github – Published: 2026-02-02 23:02 – Updated: 2026-02-03 21:40
VLAI?
Summary
Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation
Details
Summary
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel.
Proof of Concept
Required Permissions
- General permissions:
- Access the control panel
- Access Craft Commerce
- Craft Commerce permissions:
- Manage inventory locations
- An active administrator elevated session
Steps to Reproduce
- Log in to the Admin Panel with the attacker account with the permissions mentioned above.
- Navigate to Commerce -> Inventory Locations -> Default (
/admin/commerce/inventory-locations/1). - In the Address Line 1 field, enter the following payload:
<img src=x onerror="alert(document.domain)">
- Click Save and you'll be redirected back to the Inventory Locations page.
- Notice the alert proving JavaScript execution.
Privilege Escalation to Administrator:
- Do the same steps above, but replace the payload with a malicious one.
- The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the
<UserID>with the attacker id:
<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">
- In another browser, log in as an admin & go to the vulnerable page (Inventory Location page).
- Go back to the attacker account & notice it now has admin status.
The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.
Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.
Resources:
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.5.1"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.10.0"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25490"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T23:02:33Z",
"nvd_published_at": "2026-02-03T19:16:26Z",
"severity": "MODERATE"
},
"details": "## Summary\nA stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel.\n\n## Proof of Concept\n\n### Required Permissions\n- General permissions:\n\t- Access the control panel\n\t- Access Craft Commerce\n- Craft Commerce permissions:\n\t- Manage inventory locations\n- An active administrator elevated session\n\n\u003cimg width=\"887\" height=\"832\" alt=\"req-perms\" src=\"https://github.com/user-attachments/assets/7a9a5ef6-4fc3-4af1-8ded-08861ead0b7e\" /\u003e\n\n\n### Steps to Reproduce\n1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.\n2. Navigate to **Commerce** -\u003e **Inventory Locations** -\u003e **Default** (`/admin/commerce/inventory-locations/1`).\n3. In the **Address Line 1** field, enter the following payload:\n```html\n\u003cimg src=x onerror=\"alert(document.domain)\"\u003e\n```\n4. Click **Save** and you\u0027ll be redirected back to the **Inventory Locations** page.\n5. Notice the alert proving JavaScript execution.\n\u003cimg width=\"1814\" height=\"606\" alt=\"alert-poc\" src=\"https://github.com/user-attachments/assets/f08aed21-a676-4dee-85a8-d195bab85685\" /\u003e\n\n\n\n### Privilege Escalation to Administrator:\n1. Do the same steps above, but replace the payload with a malicious one.\n2. The following payload elevates the attacker\u2019s account to Admin if there\u2019s already an elevated session, replace the `\u003cUserID\u003e` with the attacker id:\n```html\n\u003cimg src=x onerror=\"fetch(\u0027/admin/users/\u003cUserID\u003e/permissions\u0027,{method:\u0027POST\u0027,body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}\u0026userId=\u003cUserID\u003e\u0026admin=1\u0026action=users/save-permissions`,headers:{\u0027content-type\u0027:\u0027application/x-www-form-urlencoded\u0027}})\"\u003e\n```\n3. In another browser, log in as an admin \u0026 go to the vulnerable page (Inventory Location page).\n4. Go back to the attacker account \u0026 notice it now has admin status.\n\nThe privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim\u2019s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.\n\nOr even easier (and smarter), an attacker (using the XSS) can create a fake \u0027Session Expired\u0027 login modal overlay. Since it\u2019s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.\n\n### Resources:\n\nhttps://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee",
"id": "GHSA-wq2m-r96q-crrf",
"modified": "2026-02-03T21:40:50Z",
"published": "2026-02-02T23:02:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25490"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/commerce"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": " Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation"
}
FKIE_CVE-2026-25490
Vulnerability from fkie_nvd - Published: 2026-02-03 19:16 - Updated: 2026-02-10 18:08
Severity ?
Summary
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| craftcms | craft_commerce | * | |
| craftcms | craft_commerce | * | |
| craftcms | craft_commerce | 4.0.0 | |
| craftcms | craft_commerce | 4.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "6EFA9347-254D-4D9E-84B1-8C0FFCC377F9",
"versionEndExcluding": "4.10.1",
"versionStartIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
"matchCriteriaId": "65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B",
"versionEndExcluding": "5.5.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*",
"matchCriteriaId": "2B409639-1C00-4E9C-950E-77058C40A5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*",
"matchCriteriaId": "E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the \u0027Address Line 1\u0027 field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2."
}
],
"id": "CVE-2026-25490",
"lastModified": "2026-02-10T18:08:32.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-03T19:16:26.817",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…