CVE-2026-25489

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue stems from insufficient sanitization of the Name and Description fields within Tax Zones before display in the admin panel. This allows attackers to inject and execute malicious JavaScript code in an administrator’s browser. An attacker could potentially escalate privileges to administrator level by exploiting this issue, especially if an elevated session is present. The attacker can leverage the XSS to create a fake 'Session Expired' login modal overlay, tricking administrators into submitting their credentials. The affected API endpoint is /admin/commerce/store-management/primary/taxzones. The vulnerable parameters are the Name and Description fields.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be upgraded to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be upgraded to version 5.5.2 or later.