CVE-2026-25488

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue resides in the Tax Categories (Name & Description) fields within the Store Management section, which are not adequately sanitized before display in the admin panel. This allows attackers to inject malicious JavaScript code that executes in an administrator’s browser. Successful exploitation could lead to privilege escalation to administrator level, potentially through session hijacking or credential theft via a fake login modal. The vulnerability requires an active administrator session. The API endpoint /admin/commerce/store-management/primary/taxcategories is involved in the exploitation. The vulnerable parameters are the Name and Description fields. The fetch function is used in a payload to potentially modify user permissions.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be updated to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be updated to version 5.5.2 or later.