Vulnerability Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Commerce | >= 4.0.1, < 4.10.1 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935Patch
- https://github.com/craftcms/commerce/releases/tag/4.10.1Release Notes
- https://github.com/craftcms/commerce/releases/tag/5.5.2Release Notes
- https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9jExploitVendor Advisory
FAQ
What is CVE-2026-25482?
CVE-2026-25482 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The ...
How severe is CVE-2026-25482?
CVE-2026-25482 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25482?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Commerce.