CVE-2026-25487

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue resides in the Tax Rates 'Name' field within the Store Management section, which does not properly sanitize input before displaying it in the admin panel. This allows attackers to inject malicious JavaScript code that executes in an administrator's browser. An attacker could potentially escalate privileges to administrator by exploiting this issue, especially if an elevated session exists. The attacker can also create a fake 'Session Expired' login modal overlay to steal administrator credentials. The vulnerable field is located at /admin/commerce/store-management/primary/taxrates. The Name field is the vulnerable parameter.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0: Upgrade to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1: Upgrade to version 5.5.2 or later.