PT-2026-5745 · Pixel & Tonic · Craft Commerce
Mhe4Am
·
Published
2026-02-02
·
Updated
2026-02-03
·
CVE-2026-25484
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Craft Commerce versions 4.0.0-RC1 through 4.10.0
Craft Commerce versions 5.0.0 through 5.5.1
Description
A Stored Cross-Site Scripting (XSS) issue exists in Craft Commerce through Product Type names. The product type name is not properly sanitized when displayed within user permission settings. The vulnerable input is located in Commerce (Product Type settings), while the vulnerable display occurs in CMS user permissions settings. The API endpoint for creating a new Product Type is
/admin/commerce/settings/producttypes. The vulnerable parameter is Name. The vulnerable display occurs when accessing user permissions at /admin/users/{UserID}/permissions.Recommendations
Update to Craft Commerce version 4.10.1 or later.
Update to Craft Commerce version 5.5.2 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Commerce