CVE-2026-25486

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 5.0.0 through 5.5.1

Description A stored cross-site scripting (XSS) issue exists in Craft Commerce that allows attackers to execute malicious JavaScript in an administrator’s browser. The issue stems from insufficient sanitization of the Shipping Methods Name field within the Store Management section of the admin panel. An attacker can inject malicious code, such as <img src=x onerror="alert(document.domain)">, into the Name field. This injected code is then executed when an administrator views the shipping methods page. The proof of concept demonstrates potential privilege escalation by exploiting an elevated session, allowing an attacker to gain administrative access. The attacker can leverage the XSS to steal administrator credentials through a fake login modal. The affected API endpoint is /admin/commerce/store-management/primary/shippingmethods. The vulnerable parameter is the Name field.

Recommendations Craft Commerce versions 5.0.0 through 5.5.1 are affected and should be updated to version 5.5.2 or later.