CVE-2026-25483

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce is susceptible to a stored cross-site scripting (XSS) issue within the Order Status History Message functionality. The system renders this message using the |md filter, which allows raw HTML, potentially enabling malicious script execution. An attacker with database backup utility permissions can potentially exfiltrate the entire database, including user credentials, customer Personally Identifiable Information (PII), order history, and two-factor authentication (2FA) recovery codes. The vulnerability resides in the vendor/craftcms/commerce/src/templates/orders/ history.twig file, specifically in the {{ orderHistory.message | md }} section, where the |md Twig filter does not sanitize HTML tags. The exfiltrated database may contain usernames, emails, password hashes, customer PII such as names and addresses, transaction records, GraphQL tokens, and potentially payment gateway secrets.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0: Update to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1: Update to version 5.5.2 or later.