{“lastseen”:””,”description”:”Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator\u2019s browser. This occurs because the Shipping Zone (Name \\u0026 Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.”,”published”:”2026-02-03T18:10:33.911Z”,”modified”:”2026-02-03T19:22:34.780Z”,”type”:”cve”,”title”:”Craft Commerce has Stored XSS in Shipping Zone (Name \\u0026 Description) Fields Leading to Potential Privilege Escalation”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/craftcms\/commerce\/security\/advisories\/GHSA-h9r9-2pxg-cx9m\\nhttps:\/\/github.com\/craftcms\/commerce\/commit\/fa273330807807d05b564d37c88654cd772839ee\\nhttps:\/\/github.com\/craftcms\/commerce\/releases\/tag\/4.10.1\\nhttps:\/\/github.com\/craftcms\/commerce\/releases\/tag\/5.5.2″,”id”:”CVE-2026-25522″,”bulletinFamily”:””,”cwe”:[“CWE-79″],”cvelist”:null,”sourceData”:”craftcms commerce \\u003e= 4.0.0-RC1, \\u003c 4.10.1\\ncraftcms commerce \\u003e= 5.0.0, \\u003c 5.5.2″,”sourceHref”:””,”cvss”:{“score”:6.1,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:H\/UI:P\/VC:N\/VI:N\/VA:N\/SC:L\/SI:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”commerce”,”version”:”\\u003e= 4.0.0-RC1, \\u003c 4.10.1″,”vendor”:”craftcms”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,31,12,21,13,7,11,5],"class_list":["post-38884","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-61","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n