Vulnerability Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Commerce | >= 4.0.1, < 4.10.1 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffPatch
- https://github.com/craftcms/commerce/releases/tag/4.10.1Release Notes
- https://github.com/craftcms/commerce/releases/tag/5.5.2Release Notes
- https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656cExploitVendor Advisory
FAQ
What is CVE-2026-25484?
CVE-2026-25484 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displa...
How severe is CVE-2026-25484?
CVE-2026-25484 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25484?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Commerce.