Craft Commerce has Stored XSS in Product Type Name

4.8 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.

Basic Information

ID CVE-2026-25484

Source GitHub_M

Published Feb 3, 2026 at 18:06

Affected Product

Vendor craftcms

Product commerce

Version >= 4.0.0-RC1, < 4.10.1

Affected Versions craftcms commerce >= 4.0.0-RC1, < 4.10.1
craftcms commerce >= 5.0.0, < 5.5.2

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.",
    "published": "2026-02-03T18:06:36.706Z",
    "modified": "2026-02-03T18:06:36.706Z",
    "type": "cve",
    "title": "Craft Commerce has Stored XSS in Product Type Name",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c\nhttps://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c\nhttps://github.com/craftcms/commerce/releases/tag/4.10.1\nhttps://github.com/craftcms/commerce/releases/tag/5.5.2",
    "id": "CVE-2026-25484",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "craftcms commerce >= 4.0.0-RC1, < 4.10.1\ncraftcms commerce >= 5.0.0, < 5.5.2",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "commerce",
    "version": ">= 4.0.0-RC1, < 4.10.1",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft Commerce has Stored XSS in Product Type Name_CVE-2026-25484